From b89f13ced102c1010ce1425ad4108e62f8ac9281 Mon Sep 17 00:00:00 2001 From: Shuyang Xin Date: Thu, 9 Jun 2022 10:59:05 +0800 Subject: [PATCH] Revert "multicast: make igmp query interval configurable (#3819)" This reverts commit 6d3036bab5c074cd22d76034578fff8f8789f8dc. Signed-off-by: Shuyang Xin --- build/charts/antrea/README.md | 3 +- build/charts/antrea/conf/antrea-agent.conf | 15 +- build/charts/antrea/values.yaml | 10 +- build/yamls/antrea-aks.yml | 2444 +++++++++++++++++- build/yamls/antrea-eks.yml | 2444 +++++++++++++++++- build/yamls/antrea-gke.yml | 2444 +++++++++++++++++- build/yamls/antrea-ipsec.yml | 1905 +++++++++++++- build/yamls/antrea.yml | 2444 +++++++++++++++++- cmd/antrea-agent/agent.go | 5 +- cmd/antrea-agent/options.go | 24 - hack/generate-manifest.sh | 2 +- pkg/agent/multicast/mcast_controller.go | 48 +- pkg/agent/multicast/mcast_controller_test.go | 7 +- pkg/agent/multicast/mcast_discovery.go | 22 +- pkg/config/agent/config.go | 14 +- test/e2e/framework.go | 2 +- 16 files changed, 11322 insertions(+), 511 deletions(-) diff --git a/build/charts/antrea/README.md b/build/charts/antrea/README.md index 0506a97cec2..37920694068 100644 --- a/build/charts/antrea/README.md +++ b/build/charts/antrea/README.md @@ -80,8 +80,7 @@ Kubernetes: `>= 1.16.0-0` | ipsec.psk | string | `"changeme"` | Preshared Key (PSK) for IKE authentication. It will be stored in a secret and passed to antrea-agent as an environment variable. | | kubeAPIServerOverride | string | `""` | Address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. | | logVerbosity | int | `0` | | -| multicast.igmpQueryInterval | string | `"125s"` | The interval at which the antrea-agent sends IGMP queries to Pods. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". | -| multicast.multicastInterfaces | list | `[]` | Names of the interfaces on Nodes that are used to forward multicast traffic. | +| multicastInterfaces | list | `[]` | Names of the interfaces on Nodes that are used to forward multicast traffic. | | noSNAT | bool | `false` | Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. | | nodeIPAM.clusterCIDRs | list | `[]` | CIDR ranges to use when allocating Pod IP addresses. | | nodeIPAM.enable | bool | `false` | Enable Node IPAM in Antrea | diff --git a/build/charts/antrea/conf/antrea-agent.conf b/build/charts/antrea/conf/antrea-agent.conf index 0527661c0eb..3d96227a66f 100644 --- a/build/charts/antrea/conf/antrea-agent.conf +++ b/build/charts/antrea/conf/antrea-agent.conf @@ -225,19 +225,12 @@ tlsMinVersion: {{ .Values.tlsMinVersion | quote }} # 3. The Node IP transportInterface: {{ .Values.transportInterface | quote }} -multicast: -{{- with .Values.multicast }} # The names of the interfaces on Nodes that are used to forward multicast traffic. # Defaults to transport interface if not set. - multicastInterfaces: - {{- with .multicastInterfaces }} - {{- toYaml . | nindent 4 }} - {{- end }} - -# The interval at which the antrea-agent sends IGMP queries to Pods. -# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - igmpQueryInterval: {{ .igmpQueryInterval | quote }} -{{- end}} +multicastInterfaces: +{{- with .Values.multicastInterfaces }} +{{- toYaml . | nindent 2 }} +{{- end }} # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The diff --git a/build/charts/antrea/values.yaml b/build/charts/antrea/values.yaml index b4a1b90bf67..3f1c2b3feba 100644 --- a/build/charts/antrea/values.yaml +++ b/build/charts/antrea/values.yaml @@ -33,14 +33,8 @@ transportInterface: "" # -- Network CIDRs of the interface on Node which is used for tunneling or # routing the traffic across Nodes. transportInterfaceCIDRs: [] - -multicast: - # -- Names of the interfaces on Nodes that are used to forward multicast traffic. - multicastInterfaces: [] - # -- The interval at which the antrea-agent sends IGMP queries to Pods. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - igmpQueryInterval: "125s" - +# -- Names of the interfaces on Nodes that are used to forward multicast traffic. +multicastInterfaces: [] # -- Default MTU to use for the host gateway interface and the network interface # of each Pod. By default, antrea-agent will discover the MTU of the Node's # primary interface and adjust it to accommodate for tunnel encapsulation diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml index 0957b19a79c..f789969d7d7 100644 --- a/build/yamls/antrea-aks.yml +++ b/build/yamls/antrea-aks.yml @@ -54,6 +54,2368 @@ metadata: namespace: kube-system labels: app: antrea + name: clusternetworkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - acnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + to: + items: + properties: + fqdn: + type: string + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + enum: + - Self + type: string + type: object + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + externalIPPool: + type: string + required: + - appliedTo + type: object + status: + properties: + egressNode: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalIPPool + plural: externalippools + shortNames: + - eip + singular: externalippool + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + type: object + type: array + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - ipRanges + - nodeSelector + type: object + status: + properties: + usage: + properties: + total: + type: integer + used: + type: integer + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: ippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: IPPool + plural: ippools + shortNames: + - ipp + singular: ippool + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + vlan: + maximum: 4094 + minimum: 0 + type: integer + type: object + type: array + ipVersion: + type: integer + required: + - ipVersion + - ipRanges + type: object + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + containerID: + type: string + ifName: + type: string + name: + type: string + namespace: + type: string + type: object + statefulSet: + properties: + index: + type: integer + name: + type: string + namespace: + type: string + type: object + type: object + phase: + type: string + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + fqdn: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - description: Trace live traffic. + jsonPath: .spec.liveTraffic + name: Live-Traffic + priority: 10 + type: boolean + - description: Capture only the dropped packet. + jsonPath: .spec.droppedOnly + name: Dropped-Only + priority: 10 + type: boolean + - description: Timeout in seconds. + jsonPath: .spec.timeout + name: Timeout + priority: 10 + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + droppedOnly: + type: boolean + liveTraffic: + type: boolean + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + type: object + timeout: + type: integer + type: object + status: + properties: + capturedPacket: + properties: + dstIP: + type: string + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + length: + type: integer + srcIP: + type: string + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + startTime: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + - /featuregates + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - pods/status + verbs: + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + - namespaces + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - services/status + verbs: + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - egresses/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - ippools/status + verbs: + - update +- apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-cluster-identity-reader +rules: +- apiGroups: + - "" + resourceNames: + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - pods + - services + - namespaces + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - services/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1beta1.networking.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + resources: + - apiservices + verbs: + - delete +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - update + - patch +- apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - externalippools/status + - ippools/status + verbs: + - update +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 data: antrea-agent.conf: | # FeatureGates is a map of feature names to bools that enable or disable experimental features. @@ -108,9 +2470,6 @@ data: # Enable mirroring or redirecting the traffic Pods send or receive. # TrafficControl: false - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - # Name of the OpenVSwitch bridge antrea-agent will create and use. # Make sure it doesn't conflict with your existing OpenVSwitch bridges. ovsBridge: "br-int" @@ -173,11 +2532,6 @@ data: # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. enableBridgingMode: false - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. - disableTXChecksumOffload: false - # Default MTU to use for the host gateway interface and the network interface of each Pod. # If omitted, antrea-agent will discover the MTU of the Node's primary interface and # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). @@ -315,14 +2669,6 @@ data: # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. proxyLoadBalancerIPs: true - - # IPsec tunnel related configurations. - ipsec: - # The authentication mode of IPsec tunnel. It has the following options: - # - psk (default): Use pre-shared key (PSK) for IKE authentication. - # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` - # feature gate to be enabled. - authenticationMode: "psk" antrea-cni.conflist: | { "cniVersion":"0.3.0", @@ -374,9 +2720,6 @@ data: # Enable managing external IPs of Services of LoadBalancer type. # ServiceExternalIP: false - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - # The port for the antrea-controller APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-controller` container must be set to the same value. @@ -418,20 +2761,6 @@ data: # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. nodeCIDRMaskSizeIPv6: 64 - - ipsecCSRSigner: - # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. - # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions - # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, - # the Pod identity will also be validated to provide maximum security. - # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved - # manually by `kubectl certificate approve`. - autoApprove: true - # Indicates whether to use auto-generated self-signed CA certificate. - # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: - # tls.crt: - # tls.key: - selfSignedCA: true --- # Source: antrea/templates/crds/antreaagentinfo.yaml apiVersion: apiextensions.k8s.io/v1 @@ -3024,15 +5353,6 @@ rules: - get - list - watch - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - get - - watch - - list - - create --- # Source: antrea/templates/antctl/clusterrole.yaml kind: ClusterRole @@ -3194,26 +5514,14 @@ rules: - configmaps resourceNames: - antrea-ca - - antrea-ipsec-ca - antrea-cluster-identity verbs: - get - update - - apiGroups: - - "" - resources: - - secrets - resourceNames: - - antrea-ipsec-ca - verbs: - - get - - update - - watch - apiGroups: - "" resources: - configmaps - - secrets verbs: - create - apiGroups: @@ -3254,30 +5562,6 @@ rules: verbs: - get - update - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - get - - list - - watch - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests/approval - - certificatesigningrequests/status - verbs: - - update - - apiGroups: - - certificates.k8s.io - resources: - - signers - resourceNames: - - antrea.io/antrea-agent-ipsec-tunnel - verbs: - - approve - - sign - apiGroups: - crd.antrea.io resources: @@ -3569,7 +5853,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 215e06b9ae507e0bf11e6da239908ee60b07bc419310825f504208e87815f0eb + checksum/config: 0cc20edc3fc882f0ea9bd3450fbab504858feeff47e1d3f09d8f6ebacd741dbe labels: app: antrea component: antrea-agent @@ -3809,7 +6093,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 215e06b9ae507e0bf11e6da239908ee60b07bc419310825f504208e87815f0eb + checksum/config: 0cc20edc3fc882f0ea9bd3450fbab504858feeff47e1d3f09d8f6ebacd741dbe labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index aa2c7efdd6a..f2857e8d36c 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -54,6 +54,2368 @@ metadata: namespace: kube-system labels: app: antrea + name: clusternetworkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - acnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + to: + items: + properties: + fqdn: + type: string + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + enum: + - Self + type: string + type: object + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + externalIPPool: + type: string + required: + - appliedTo + type: object + status: + properties: + egressNode: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalIPPool + plural: externalippools + shortNames: + - eip + singular: externalippool + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + type: object + type: array + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - ipRanges + - nodeSelector + type: object + status: + properties: + usage: + properties: + total: + type: integer + used: + type: integer + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: ippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: IPPool + plural: ippools + shortNames: + - ipp + singular: ippool + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + vlan: + maximum: 4094 + minimum: 0 + type: integer + type: object + type: array + ipVersion: + type: integer + required: + - ipVersion + - ipRanges + type: object + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + containerID: + type: string + ifName: + type: string + name: + type: string + namespace: + type: string + type: object + statefulSet: + properties: + index: + type: integer + name: + type: string + namespace: + type: string + type: object + type: object + phase: + type: string + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + fqdn: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - description: Trace live traffic. + jsonPath: .spec.liveTraffic + name: Live-Traffic + priority: 10 + type: boolean + - description: Capture only the dropped packet. + jsonPath: .spec.droppedOnly + name: Dropped-Only + priority: 10 + type: boolean + - description: Timeout in seconds. + jsonPath: .spec.timeout + name: Timeout + priority: 10 + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + droppedOnly: + type: boolean + liveTraffic: + type: boolean + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + type: object + timeout: + type: integer + type: object + status: + properties: + capturedPacket: + properties: + dstIP: + type: string + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + length: + type: integer + srcIP: + type: string + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + startTime: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + - /featuregates + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - pods/status + verbs: + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + - namespaces + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - services/status + verbs: + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - egresses/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - ippools/status + verbs: + - update +- apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-cluster-identity-reader +rules: +- apiGroups: + - "" + resourceNames: + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - pods + - services + - namespaces + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - services/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1beta1.networking.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + resources: + - apiservices + verbs: + - delete +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - update + - patch +- apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - externalippools/status + - ippools/status + verbs: + - update +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 data: antrea-agent.conf: | # FeatureGates is a map of feature names to bools that enable or disable experimental features. @@ -108,9 +2470,6 @@ data: # Enable mirroring or redirecting the traffic Pods send or receive. # TrafficControl: false - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - # Name of the OpenVSwitch bridge antrea-agent will create and use. # Make sure it doesn't conflict with your existing OpenVSwitch bridges. ovsBridge: "br-int" @@ -173,11 +2532,6 @@ data: # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. enableBridgingMode: false - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. - disableTXChecksumOffload: false - # Default MTU to use for the host gateway interface and the network interface of each Pod. # If omitted, antrea-agent will discover the MTU of the Node's primary interface and # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). @@ -315,14 +2669,6 @@ data: # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. proxyLoadBalancerIPs: true - - # IPsec tunnel related configurations. - ipsec: - # The authentication mode of IPsec tunnel. It has the following options: - # - psk (default): Use pre-shared key (PSK) for IKE authentication. - # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` - # feature gate to be enabled. - authenticationMode: "psk" antrea-cni.conflist: | { "cniVersion":"0.3.0", @@ -374,9 +2720,6 @@ data: # Enable managing external IPs of Services of LoadBalancer type. # ServiceExternalIP: false - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - # The port for the antrea-controller APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-controller` container must be set to the same value. @@ -418,20 +2761,6 @@ data: # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. nodeCIDRMaskSizeIPv6: 64 - - ipsecCSRSigner: - # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. - # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions - # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, - # the Pod identity will also be validated to provide maximum security. - # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved - # manually by `kubectl certificate approve`. - autoApprove: true - # Indicates whether to use auto-generated self-signed CA certificate. - # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: - # tls.crt: - # tls.key: - selfSignedCA: true --- # Source: antrea/templates/crds/antreaagentinfo.yaml apiVersion: apiextensions.k8s.io/v1 @@ -3024,15 +5353,6 @@ rules: - get - list - watch - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - get - - watch - - list - - create --- # Source: antrea/templates/antctl/clusterrole.yaml kind: ClusterRole @@ -3194,26 +5514,14 @@ rules: - configmaps resourceNames: - antrea-ca - - antrea-ipsec-ca - antrea-cluster-identity verbs: - get - update - - apiGroups: - - "" - resources: - - secrets - resourceNames: - - antrea-ipsec-ca - verbs: - - get - - update - - watch - apiGroups: - "" resources: - configmaps - - secrets verbs: - create - apiGroups: @@ -3254,30 +5562,6 @@ rules: verbs: - get - update - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - get - - list - - watch - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests/approval - - certificatesigningrequests/status - verbs: - - update - - apiGroups: - - certificates.k8s.io - resources: - - signers - resourceNames: - - antrea.io/antrea-agent-ipsec-tunnel - verbs: - - approve - - sign - apiGroups: - crd.antrea.io resources: @@ -3569,7 +5853,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 215e06b9ae507e0bf11e6da239908ee60b07bc419310825f504208e87815f0eb + checksum/config: 0cc20edc3fc882f0ea9bd3450fbab504858feeff47e1d3f09d8f6ebacd741dbe labels: app: antrea component: antrea-agent @@ -3811,7 +6095,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 215e06b9ae507e0bf11e6da239908ee60b07bc419310825f504208e87815f0eb + checksum/config: 0cc20edc3fc882f0ea9bd3450fbab504858feeff47e1d3f09d8f6ebacd741dbe labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index 47e83a0ec7c..7ac41abfe3a 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -54,6 +54,2368 @@ metadata: namespace: kube-system labels: app: antrea + name: clusternetworkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - acnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + to: + items: + properties: + fqdn: + type: string + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + enum: + - Self + type: string + type: object + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + externalIPPool: + type: string + required: + - appliedTo + type: object + status: + properties: + egressNode: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalIPPool + plural: externalippools + shortNames: + - eip + singular: externalippool + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + type: object + type: array + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - ipRanges + - nodeSelector + type: object + status: + properties: + usage: + properties: + total: + type: integer + used: + type: integer + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: ippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: IPPool + plural: ippools + shortNames: + - ipp + singular: ippool + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + vlan: + maximum: 4094 + minimum: 0 + type: integer + type: object + type: array + ipVersion: + type: integer + required: + - ipVersion + - ipRanges + type: object + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + containerID: + type: string + ifName: + type: string + name: + type: string + namespace: + type: string + type: object + statefulSet: + properties: + index: + type: integer + name: + type: string + namespace: + type: string + type: object + type: object + phase: + type: string + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + fqdn: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - description: Trace live traffic. + jsonPath: .spec.liveTraffic + name: Live-Traffic + priority: 10 + type: boolean + - description: Capture only the dropped packet. + jsonPath: .spec.droppedOnly + name: Dropped-Only + priority: 10 + type: boolean + - description: Timeout in seconds. + jsonPath: .spec.timeout + name: Timeout + priority: 10 + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + droppedOnly: + type: boolean + liveTraffic: + type: boolean + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + type: object + timeout: + type: integer + type: object + status: + properties: + capturedPacket: + properties: + dstIP: + type: string + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + length: + type: integer + srcIP: + type: string + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + startTime: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + - /featuregates + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - pods/status + verbs: + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + - namespaces + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - services/status + verbs: + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - egresses/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - ippools/status + verbs: + - update +- apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-cluster-identity-reader +rules: +- apiGroups: + - "" + resourceNames: + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - pods + - services + - namespaces + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - services/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1beta1.networking.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + resources: + - apiservices + verbs: + - delete +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - update + - patch +- apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - externalippools/status + - ippools/status + verbs: + - update +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 data: antrea-agent.conf: | # FeatureGates is a map of feature names to bools that enable or disable experimental features. @@ -108,9 +2470,6 @@ data: # Enable mirroring or redirecting the traffic Pods send or receive. # TrafficControl: false - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - # Name of the OpenVSwitch bridge antrea-agent will create and use. # Make sure it doesn't conflict with your existing OpenVSwitch bridges. ovsBridge: "br-int" @@ -173,11 +2532,6 @@ data: # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. enableBridgingMode: false - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. - disableTXChecksumOffload: false - # Default MTU to use for the host gateway interface and the network interface of each Pod. # If omitted, antrea-agent will discover the MTU of the Node's primary interface and # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). @@ -315,14 +2669,6 @@ data: # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. proxyLoadBalancerIPs: true - - # IPsec tunnel related configurations. - ipsec: - # The authentication mode of IPsec tunnel. It has the following options: - # - psk (default): Use pre-shared key (PSK) for IKE authentication. - # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` - # feature gate to be enabled. - authenticationMode: "psk" antrea-cni.conflist: | { "cniVersion":"0.3.0", @@ -374,9 +2720,6 @@ data: # Enable managing external IPs of Services of LoadBalancer type. # ServiceExternalIP: false - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - # The port for the antrea-controller APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-controller` container must be set to the same value. @@ -418,20 +2761,6 @@ data: # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. nodeCIDRMaskSizeIPv6: 64 - - ipsecCSRSigner: - # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. - # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions - # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, - # the Pod identity will also be validated to provide maximum security. - # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved - # manually by `kubectl certificate approve`. - autoApprove: true - # Indicates whether to use auto-generated self-signed CA certificate. - # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: - # tls.crt: - # tls.key: - selfSignedCA: true --- # Source: antrea/templates/crds/antreaagentinfo.yaml apiVersion: apiextensions.k8s.io/v1 @@ -3024,15 +5353,6 @@ rules: - get - list - watch - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - get - - watch - - list - - create --- # Source: antrea/templates/antctl/clusterrole.yaml kind: ClusterRole @@ -3194,26 +5514,14 @@ rules: - configmaps resourceNames: - antrea-ca - - antrea-ipsec-ca - antrea-cluster-identity verbs: - get - update - - apiGroups: - - "" - resources: - - secrets - resourceNames: - - antrea-ipsec-ca - verbs: - - get - - update - - watch - apiGroups: - "" resources: - configmaps - - secrets verbs: - create - apiGroups: @@ -3254,30 +5562,6 @@ rules: verbs: - get - update - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - get - - list - - watch - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests/approval - - certificatesigningrequests/status - verbs: - - update - - apiGroups: - - certificates.k8s.io - resources: - - signers - resourceNames: - - antrea.io/antrea-agent-ipsec-tunnel - verbs: - - approve - - sign - apiGroups: - crd.antrea.io resources: @@ -3569,7 +5853,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 9b30c1a8c106bef23da9374bbf18b11a72b5cf96532c2941ca0a11e5af48d2e6 + checksum/config: 6b6be76fd37d8fdac7783fcd026b6f34e993630c12c339b1dafa99ba5b36cf00 labels: app: antrea component: antrea-agent @@ -3809,7 +6093,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 9b30c1a8c106bef23da9374bbf18b11a72b5cf96532c2941ca0a11e5af48d2e6 + checksum/config: 6b6be76fd37d8fdac7783fcd026b6f34e993630c12c339b1dafa99ba5b36cf00 labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index 7ea65444221..261e37d5267 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -67,6 +67,1819 @@ metadata: namespace: kube-system labels: app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + externalIPPool: + type: string + required: + - appliedTo + type: object + status: + properties: + egressNode: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalIPPool + plural: externalippools + shortNames: + - eip + singular: externalippool + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + type: object + type: array + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - ipRanges + - nodeSelector + type: object + status: + properties: + usage: + properties: + total: + type: integer + used: + type: integer + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: ippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: IPPool + plural: ippools + shortNames: + - ipp + singular: ippool + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + vlan: + maximum: 4094 + minimum: 0 + type: integer + type: object + type: array + ipVersion: + type: integer + required: + - ipVersion + - ipRanges + type: object + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + containerID: + type: string + ifName: + type: string + name: + type: string + namespace: + type: string + type: object + statefulSet: + properties: + index: + type: integer + name: + type: string + namespace: + type: string + type: object + type: object + phase: + type: string + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + fqdn: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - description: Trace live traffic. + jsonPath: .spec.liveTraffic + name: Live-Traffic + priority: 10 + type: boolean + - description: Capture only the dropped packet. + jsonPath: .spec.droppedOnly + name: Dropped-Only + priority: 10 + type: boolean + - description: Timeout in seconds. + jsonPath: .spec.timeout + name: Timeout + priority: 10 + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + droppedOnly: + type: boolean + liveTraffic: + type: boolean + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + type: object + timeout: + type: integer + type: object + status: + properties: + capturedPacket: + properties: + dstIP: + type: string + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + length: + type: integer + srcIP: + type: string + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + startTime: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + - /featuregates + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - pods/status + verbs: + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + - namespaces + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - services/status + verbs: + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - egresses/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - ippools/status + verbs: + - update +- apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-cluster-identity-reader +rules: +- apiGroups: + - "" + resourceNames: + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - pods + - services + - namespaces + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - services/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1beta1.networking.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + resources: + - apiservices + verbs: + - delete +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - update + - patch +- apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - externalippools/status + - ippools/status + verbs: + - update +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 data: antrea-agent.conf: | # FeatureGates is a map of feature names to bools that enable or disable experimental features. @@ -121,9 +1934,6 @@ data: # Enable mirroring or redirecting the traffic Pods send or receive. # TrafficControl: false - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - # Name of the OpenVSwitch bridge antrea-agent will create and use. # Make sure it doesn't conflict with your existing OpenVSwitch bridges. ovsBridge: "br-int" @@ -186,11 +1996,6 @@ data: # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. enableBridgingMode: false - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. - disableTXChecksumOffload: false - # Default MTU to use for the host gateway interface and the network interface of each Pod. # If omitted, antrea-agent will discover the MTU of the Node's primary interface and # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). @@ -328,14 +2133,6 @@ data: # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. proxyLoadBalancerIPs: true - - # IPsec tunnel related configurations. - ipsec: - # The authentication mode of IPsec tunnel. It has the following options: - # - psk (default): Use pre-shared key (PSK) for IKE authentication. - # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` - # feature gate to be enabled. - authenticationMode: "psk" antrea-cni.conflist: | { "cniVersion":"0.3.0", @@ -387,9 +2184,6 @@ data: # Enable managing external IPs of Services of LoadBalancer type. # ServiceExternalIP: false - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - # The port for the antrea-controller APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-controller` container must be set to the same value. @@ -431,20 +2225,6 @@ data: # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. nodeCIDRMaskSizeIPv6: 64 - - ipsecCSRSigner: - # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. - # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions - # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, - # the Pod identity will also be validated to provide maximum security. - # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved - # manually by `kubectl certificate approve`. - autoApprove: true - # Indicates whether to use auto-generated self-signed CA certificate. - # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: - # tls.crt: - # tls.key: - selfSignedCA: true --- # Source: antrea/templates/crds/antreaagentinfo.yaml apiVersion: apiextensions.k8s.io/v1 @@ -3037,15 +4817,6 @@ rules: - get - list - watch - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - get - - watch - - list - - create --- # Source: antrea/templates/antctl/clusterrole.yaml kind: ClusterRole @@ -3207,26 +4978,14 @@ rules: - configmaps resourceNames: - antrea-ca - - antrea-ipsec-ca - antrea-cluster-identity verbs: - get - update - - apiGroups: - - "" - resources: - - secrets - resourceNames: - - antrea-ipsec-ca - verbs: - - get - - update - - watch - apiGroups: - "" resources: - configmaps - - secrets verbs: - create - apiGroups: @@ -3267,30 +5026,6 @@ rules: verbs: - get - update - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - get - - list - - watch - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests/approval - - certificatesigningrequests/status - verbs: - - update - - apiGroups: - - certificates.k8s.io - resources: - - signers - resourceNames: - - antrea.io/antrea-agent-ipsec-tunnel - verbs: - - approve - - sign - apiGroups: - crd.antrea.io resources: @@ -3582,7 +5317,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 97fb99b7b2d8e9a0a5a6075dc109ea93d55b9ff3b6dc06af72fdfbaabec1d97b + checksum/config: d289c621cfdc7aee9e8320c0398e76f302591b0adc12156d470320ee9839c073 checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4 labels: app: antrea @@ -3712,9 +5447,6 @@ spec: - name: host-var-run-antrea mountPath: /var/run/openvswitch subPath: openvswitch - - name: antrea-ipsec-ca - mountPath: /var/run/openvswitch/ca - readOnly: true # host-local IPAM stores allocated IP addresses as files in /var/lib/cni/networks/$NETWORK_NAME. # Mount a sub-directory of host-var-run-antrea to it for persistence of IP allocation. - name: host-var-run-antrea @@ -3803,9 +5535,6 @@ spec: - name: host-var-log-antrea mountPath: /var/log/strongswan subPath: strongswan - - mountPath: /etc/ipsec.d/cacerts - name: antrea-ipsec-ca - readOnly: true volumes: - name: antrea-config configMap: @@ -3822,10 +5551,6 @@ spec: - name: host-var-run-netns hostPath: path: /var/run/netns - - name: antrea-ipsec-ca - configMap: - name: antrea-ipsec-ca - optional: true - name: host-var-run-antrea hostPath: path: /var/run/antrea @@ -3868,7 +5593,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 97fb99b7b2d8e9a0a5a6075dc109ea93d55b9ff3b6dc06af72fdfbaabec1d97b + checksum/config: d289c621cfdc7aee9e8320c0398e76f302591b0adc12156d470320ee9839c073 labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index 3ec7336f8cc..09b4b422158 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -54,6 +54,2368 @@ metadata: namespace: kube-system labels: app: antrea + name: clusternetworkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - acnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + to: + items: + properties: + fqdn: + type: string + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + enum: + - Self + type: string + type: object + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccount: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + externalIPPool: + type: string + required: + - appliedTo + type: object + status: + properties: + egressNode: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalIPPool + plural: externalippools + shortNames: + - eip + singular: externalippool + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + type: object + type: array + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - ipRanges + - nodeSelector + type: object + status: + properties: + usage: + properties: + total: + type: integer + used: + type: integer + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: ippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: IPPool + plural: ippools + shortNames: + - ipp + singular: ippool + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + vlan: + maximum: 4094 + minimum: 0 + type: integer + type: object + type: array + ipVersion: + type: integer + required: + - ipVersion + - ipRanges + type: object + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + containerID: + type: string + ifName: + type: string + name: + type: string + namespace: + type: string + type: object + statefulSet: + properties: + index: + type: integer + name: + type: string + namespace: + type: string + type: object + type: object + phase: + type: string + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + fqdn: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + enum: + - TCP + - UDP + - SCTP + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - description: Trace live traffic. + jsonPath: .spec.liveTraffic + name: Live-Traffic + priority: 10 + type: boolean + - description: Capture only the dropped packet. + jsonPath: .spec.droppedOnly + name: Dropped-Only + priority: 10 + type: boolean + - description: Timeout in seconds. + jsonPath: .spec.timeout + name: Timeout + priority: 10 + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + droppedOnly: + type: boolean + liveTraffic: + type: boolean + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + type: object + timeout: + type: integer + type: object + status: + properties: + capturedPacket: + properties: + dstIP: + type: string + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + length: + type: integer + srcIP: + type: string + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + startTime: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + - /featuregates + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - pods/status + verbs: + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + - namespaces + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - services/status + verbs: + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - egresses/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - ippools/status + verbs: + - update +- apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-cluster-identity-reader +rules: +- apiGroups: + - "" + resourceNames: + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - pods + - services + - namespaces + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - services/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1beta1.networking.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + resources: + - apiservices + verbs: + - delete +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - update + - patch +- apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - externalippools/status + - ippools/status + verbs: + - update +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 data: antrea-agent.conf: | # FeatureGates is a map of feature names to bools that enable or disable experimental features. @@ -108,9 +2470,6 @@ data: # Enable mirroring or redirecting the traffic Pods send or receive. # TrafficControl: false - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - # Name of the OpenVSwitch bridge antrea-agent will create and use. # Make sure it doesn't conflict with your existing OpenVSwitch bridges. ovsBridge: "br-int" @@ -173,11 +2532,6 @@ data: # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. enableBridgingMode: false - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. - disableTXChecksumOffload: false - # Default MTU to use for the host gateway interface and the network interface of each Pod. # If omitted, antrea-agent will discover the MTU of the Node's primary interface and # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). @@ -315,14 +2669,6 @@ data: # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. proxyLoadBalancerIPs: true - - # IPsec tunnel related configurations. - ipsec: - # The authentication mode of IPsec tunnel. It has the following options: - # - psk (default): Use pre-shared key (PSK) for IKE authentication. - # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` - # feature gate to be enabled. - authenticationMode: "psk" antrea-cni.conflist: | { "cniVersion":"0.3.0", @@ -374,9 +2720,6 @@ data: # Enable managing external IPs of Services of LoadBalancer type. # ServiceExternalIP: false - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - # The port for the antrea-controller APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-controller` container must be set to the same value. @@ -418,20 +2761,6 @@ data: # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. nodeCIDRMaskSizeIPv6: 64 - - ipsecCSRSigner: - # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. - # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions - # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, - # the Pod identity will also be validated to provide maximum security. - # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved - # manually by `kubectl certificate approve`. - autoApprove: true - # Indicates whether to use auto-generated self-signed CA certificate. - # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: - # tls.crt: - # tls.key: - selfSignedCA: true --- # Source: antrea/templates/crds/antreaagentinfo.yaml apiVersion: apiextensions.k8s.io/v1 @@ -3024,15 +5353,6 @@ rules: - get - list - watch - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - get - - watch - - list - - create --- # Source: antrea/templates/antctl/clusterrole.yaml kind: ClusterRole @@ -3194,26 +5514,14 @@ rules: - configmaps resourceNames: - antrea-ca - - antrea-ipsec-ca - antrea-cluster-identity verbs: - get - update - - apiGroups: - - "" - resources: - - secrets - resourceNames: - - antrea-ipsec-ca - verbs: - - get - - update - - watch - apiGroups: - "" resources: - configmaps - - secrets verbs: - create - apiGroups: @@ -3254,30 +5562,6 @@ rules: verbs: - get - update - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - get - - list - - watch - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests/approval - - certificatesigningrequests/status - verbs: - - update - - apiGroups: - - certificates.k8s.io - resources: - - signers - resourceNames: - - antrea.io/antrea-agent-ipsec-tunnel - verbs: - - approve - - sign - apiGroups: - crd.antrea.io resources: @@ -3569,7 +5853,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 0cf7fc67ba29593ea1cdb73b19f72f8d53a24ac432b1737a1849591a0aa43e75 + checksum/config: 976e8c918d8c411df17238dd333a51f9adfdfafe2d6d480d7652f16be02fff3c labels: app: antrea component: antrea-agent @@ -3809,7 +6093,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 0cf7fc67ba29593ea1cdb73b19f72f8d53a24ac432b1737a1849591a0aa43e75 + checksum/config: 976e8c918d8c411df17238dd333a51f9adfdfafe2d6d480d7652f16be02fff3c labels: app: antrea component: antrea-controller diff --git a/cmd/antrea-agent/agent.go b/cmd/antrea-agent/agent.go index 00a162044de..18724768735 100644 --- a/cmd/antrea-agent/agent.go +++ b/cmd/antrea-agent/agent.go @@ -608,10 +608,9 @@ func run(o *Options) error { nodeConfig, ifaceStore, multicastSocket, - sets.NewString(append(o.config.Multicast.MulticastInterfaces, nodeConfig.NodeTransportInterfaceName)...), + sets.NewString(append(o.config.MulticastInterfaces, nodeConfig.NodeTransportInterfaceName)...), ovsBridgeClient, - podUpdateChannel, - o.igmpQueryInterval) + podUpdateChannel) if err := mcastController.Initialize(); err != nil { return err } diff --git a/cmd/antrea-agent/options.go b/cmd/antrea-agent/options.go index a04fae4166a..ccf86df2fd3 100644 --- a/cmd/antrea-agent/options.go +++ b/cmd/antrea-agent/options.go @@ -47,7 +47,6 @@ const ( defaultFlowPollInterval = 5 * time.Second defaultActiveFlowExportTimeout = 30 * time.Second defaultIdleFlowExportTimeout = 15 * time.Second - defaultIGMPQueryInterval = 125 * time.Second defaultStaleConnectionTimeout = 5 * time.Minute defaultNPLPortRange = "61000-62000" ) @@ -69,7 +68,6 @@ type Options struct { idleFlowTimeout time.Duration // Stale connection timeout to delete connections if they are not exported. staleConnectionTimeout time.Duration - igmpQueryInterval time.Duration nplStartPort int nplEndPort int } @@ -170,9 +168,6 @@ func (o *Options) validate(args []string) error { if err := o.validateFlowExporterConfig(); err != nil { return fmt.Errorf("failed to validate flow exporter config: %v", err) } - if err := o.validateMulticastConfig(); err != nil { - return fmt.Errorf("failed to validate multicast config: %v", err) - } if features.DefaultFeatureGate.Enabled(features.Egress) { for _, cidr := range o.config.Egress.ExceptCIDRs { _, _, err := net.ParseCIDR(cidr) @@ -286,12 +281,6 @@ func (o *Options) setDefaults() { o.config.NodePortLocal.PortRange = defaultNPLPortRange } } - - if features.DefaultFeatureGate.Enabled(features.Multicast) { - if o.config.Multicast.IGMPQueryInterval == "" { - o.igmpQueryInterval = defaultIGMPQueryInterval - } - } } func (o *Options) validateAntreaProxyConfig() error { @@ -372,19 +361,6 @@ func (o *Options) validateFlowExporterConfig() error { return nil } -func (o *Options) validateMulticastConfig() error { - if features.DefaultFeatureGate.Enabled(features.Multicast) { - var err error - if o.config.Multicast.IGMPQueryInterval != "" { - o.igmpQueryInterval, err = time.ParseDuration(o.config.Multicast.IGMPQueryInterval) - if err != nil { - return err - } - } - } - return nil -} - func (o *Options) validateAntreaIPAMConfig() error { if !o.config.EnableBridgingMode { return nil diff --git a/hack/generate-manifest.sh b/hack/generate-manifest.sh index a126c20ff3f..521a9663dc9 100755 --- a/hack/generate-manifest.sh +++ b/hack/generate-manifest.sh @@ -307,7 +307,7 @@ if $FLEXIBLE_IPAM; then fi if $MULTICAST; then - HELM_VALUES+=("trafficEncapMode=noEncap" "featureGates.Multicast=true" "multicast.multicastInterfaces={$MULTICAST_INTERFACES}") + HELM_VALUES+=("trafficEncapMode=noEncap" "featureGates.Multicast=true" "multicastInterfaces={$MULTICAST_INTERFACES}") fi if $ALLFEATURES; then diff --git a/pkg/agent/multicast/mcast_controller.go b/pkg/agent/multicast/mcast_controller.go index 01188cba172..481dcebb2d9 100644 --- a/pkg/agent/multicast/mcast_controller.go +++ b/pkg/agent/multicast/mcast_controller.go @@ -153,20 +153,20 @@ func (c *Controller) checkLastMember(group net.IP) { c.queue.AddAfter(group.String(), igmpMaxResponseTime) } -// clearStaleGroups checks the stale group members which have not been updated for c.mcastGroupTimeout, and then notifies worker +// clearStaleGroups checks the stale group members which have not been updated for mcastGroupTimeout, and then notifies worker // to remove them from groupCache. func (c *Controller) clearStaleGroups() { now := time.Now() for _, obj := range c.groupCache.List() { status := obj.(*GroupMemberStatus) diff := now.Sub(status.lastIGMPReport) - if diff > c.mcastGroupTimeout { + if diff > mcastGroupTimeout { // Notify worker to remove the group from groupCache if all its members are not updated before mcastGroupTimeout. c.queue.Add(status.group.String()) } else { // Create a "leave" event for a local member if it is not updated before mcastGroupTimeout. for member, lastUpdate := range status.localMembers { - if now.Sub(lastUpdate) > c.mcastGroupTimeout { + if now.Sub(lastUpdate) > mcastGroupTimeout { ifConfig := &interfacestore.InterfaceConfig{ InterfaceName: member, } @@ -222,11 +222,6 @@ type Controller struct { installedGroupsMutex sync.RWMutex mRouteClient *MRouteClient ovsBridgeClient ovsconfig.OVSBridgeClient - - // queryInterval is the interval to send IGMP query messages. - queryInterval time.Duration - // mcastGroupTimeout is the timeout to detect a group as stale if no IGMP report is received within the time. - mcastGroupTimeout time.Duration } func NewMulticastController(ofClient openflow.Client, @@ -236,28 +231,25 @@ func NewMulticastController(ofClient openflow.Client, multicastSocket RouteInterface, multicastInterfaces sets.String, ovsBridgeClient ovsconfig.OVSBridgeClient, - podUpdateSubscriber channel.Subscriber, - igmpQueryInterval time.Duration) *Controller { + podUpdateSubscriber channel.Subscriber) *Controller { eventCh := make(chan *mcastGroupEvent, workerCount) - groupSnooper := newSnooper(ofClient, ifaceStore, eventCh, igmpQueryInterval) + groupSnooper := newSnooper(ofClient, ifaceStore, eventCh) groupCache := cache.NewIndexer(getGroupEventKey, cache.Indexers{ podInterfaceIndex: podInterfaceIndexFunc, }) multicastRouteClient := newRouteClient(nodeConfig, groupCache, multicastSocket, multicastInterfaces) c := &Controller{ - ofClient: ofClient, - ifaceStore: ifaceStore, - v4GroupAllocator: v4GroupAllocator, - nodeConfig: nodeConfig, - igmpSnooper: groupSnooper, - groupEventCh: eventCh, - groupCache: groupCache, - installedGroups: sets.NewString(), - queue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(minRetryDelay, maxRetryDelay), "multicastgroup"), - mRouteClient: multicastRouteClient, - ovsBridgeClient: ovsBridgeClient, - queryInterval: igmpQueryInterval, - mcastGroupTimeout: igmpQueryInterval * 3, + ofClient: ofClient, + ifaceStore: ifaceStore, + v4GroupAllocator: v4GroupAllocator, + nodeConfig: nodeConfig, + igmpSnooper: groupSnooper, + groupEventCh: eventCh, + groupCache: groupCache, + installedGroups: sets.NewString(), + queue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(minRetryDelay, maxRetryDelay), "multicastgroup"), + mRouteClient: multicastRouteClient, + ovsBridgeClient: ovsBridgeClient, } podUpdateSubscriber.Subscribe(c.removeLocalInterface) return c @@ -287,10 +279,10 @@ func (c *Controller) Run(stopCh <-chan struct{}) { if err := c.igmpSnooper.queryIGMP(net.IPv4zero, queryVersions); err != nil { klog.ErrorS(err, "Failed to send IGMP query") } - }, c.queryInterval, stopCh) + }, queryInterval, stopCh) // Periodically check the group member status, and remove the groups in which no members exist - go wait.NonSlidingUntil(c.clearStaleGroups, c.queryInterval, stopCh) + go wait.NonSlidingUntil(c.clearStaleGroups, queryInterval, stopCh) go c.eventHandler(stopCh) for i := 0; i < int(workerCount); i++ { @@ -429,11 +421,11 @@ func (c *Controller) syncGroup(groupKey string) error { return nil } -// groupIsStale returns true if no local members in the group, or there is no IGMP report received after c.mcastGroupTimeout. +// groupIsStale returns true if no local members in the group, or there is no IGMP report received after mcastGroupTimeout. func (c *Controller) groupIsStale(status *GroupMemberStatus) bool { membersCount := len(status.localMembers) diff := time.Now().Sub(status.lastIGMPReport) - if membersCount == 0 || diff > c.mcastGroupTimeout { + if membersCount == 0 || diff > mcastGroupTimeout { return true } return false diff --git a/pkg/agent/multicast/mcast_controller_test.go b/pkg/agent/multicast/mcast_controller_test.go index 1f57b503f30..0536dfda675 100644 --- a/pkg/agent/multicast/mcast_controller_test.go +++ b/pkg/agent/multicast/mcast_controller_test.go @@ -217,7 +217,7 @@ func TestClearStaleGroups(t *testing.T) { wg.Done() }() now := time.Now() - validUpdateTime := now.Add(-mctrl.queryInterval) + validUpdateTime := now.Add(-queryInterval) validGroups := []*GroupMemberStatus{ { group: net.ParseIP("224.96.1.2"), @@ -230,7 +230,7 @@ func TestClearStaleGroups(t *testing.T) { lastIGMPReport: validUpdateTime, }, } - staleUpdateTime := now.Add(-mctrl.mcastGroupTimeout - time.Second) + staleUpdateTime := now.Add(-mcastGroupTimeout - time.Second) staleGroups := []*GroupMemberStatus{ { group: net.ParseIP("224.96.1.4"), @@ -364,8 +364,7 @@ func newMockMulticastController(t *testing.T) *Controller { mockOFClient.EXPECT().RegisterPacketInHandler(gomock.Any(), gomock.Any(), gomock.Any()).Times(1) groupAllocator := openflow.NewGroupAllocator(false) podUpdateSubscriber := channel.NewSubscribableChannel("PodUpdate", 100) - queryInterval := 5 * time.Second - mctrl := NewMulticastController(mockOFClient, groupAllocator, nodeConfig, mockIfaceStore, mockMulticastSocket, sets.NewString(), ovsClient, podUpdateSubscriber, queryInterval) + mctrl := NewMulticastController(mockOFClient, groupAllocator, nodeConfig, mockIfaceStore, mockMulticastSocket, sets.NewString(), ovsClient, podUpdateSubscriber) return mctrl } diff --git a/pkg/agent/multicast/mcast_discovery.go b/pkg/agent/multicast/mcast_discovery.go index e68da77bdf5..7d4b7fe91fc 100644 --- a/pkg/agent/multicast/mcast_discovery.go +++ b/pkg/agent/multicast/mcast_discovery.go @@ -34,6 +34,13 @@ const ( IGMPProtocolNumber = 2 ) +const ( + // queryInterval is the interval to send IGMP query messages. + queryInterval = time.Second * 125 + // mcastGroupTimeout is the timeout to detect a group as stale if no IGMP report is received within the time. + mcastGroupTimeout = queryInterval * 3 +) + var ( // igmpMaxResponseTime is the maximum time allowed before sending a responding report which is used for the // "Max Resp Code" field in the IGMP query message. It is also the maximum time to wait for the IGMP report message @@ -45,10 +52,9 @@ var ( ) type IGMPSnooper struct { - ofClient openflow.Client - ifaceStore interfacestore.InterfaceStore - eventCh chan *mcastGroupEvent - queryInterval time.Duration + ofClient openflow.Client + ifaceStore interfacestore.InterfaceStore + eventCh chan *mcastGroupEvent } func (s *IGMPSnooper) HandlePacketIn(pktIn *ofctrl.PacketIn) error { @@ -93,7 +99,7 @@ func (s *IGMPSnooper) parseSrcInterface(pktIn *ofctrl.PacketIn) (*interfacestore func (s *IGMPSnooper) queryIGMP(group net.IP, versions []uint8) error { for _, version := range versions { - igmp, err := generateIGMPQueryPacket(group, version, s.queryInterval) + igmp, err := generateIGMPQueryPacket(group, version) if err != nil { return err } @@ -165,7 +171,7 @@ func (s *IGMPSnooper) processPacketIn(pktIn *ofctrl.PacketIn) error { return nil } -func generateIGMPQueryPacket(group net.IP, version uint8, queryInterval time.Duration) (util.Message, error) { +func generateIGMPQueryPacket(group net.IP, version uint8) (util.Message, error) { // The max response time field in IGMP protocol uses a value in units of 1/10 second. // See https://datatracker.ietf.org/doc/html/rfc2236 and https://datatracker.ietf.org/doc/html/rfc3376 respTime := uint8(igmpMaxResponseTime.Seconds() * 10) @@ -236,8 +242,8 @@ func parseIGMPPacket(pkt protocol.Ethernet) (protocol.IGMPMessage, error) { } } -func newSnooper(ofClient openflow.Client, ifaceStore interfacestore.InterfaceStore, eventCh chan *mcastGroupEvent, queryInterval time.Duration) *IGMPSnooper { - d := &IGMPSnooper{ofClient: ofClient, ifaceStore: ifaceStore, eventCh: eventCh, queryInterval: queryInterval} +func newSnooper(ofClient openflow.Client, ifaceStore interfacestore.InterfaceStore, eventCh chan *mcastGroupEvent) *IGMPSnooper { + d := &IGMPSnooper{ofClient: ofClient, ifaceStore: ifaceStore, eventCh: eventCh} ofClient.RegisterPacketInHandler(uint8(openflow.PacketInReasonMC), "MulticastGroupDiscovery", d) return d } diff --git a/pkg/config/agent/config.go b/pkg/config/agent/config.go index 4604434c930..427fe4f42b8 100644 --- a/pkg/config/agent/config.go +++ b/pkg/config/agent/config.go @@ -186,8 +186,9 @@ type AgentConfig struct { // 2. TransportInterfaceCIDRs // 3. The Node IP TransportInterfaceCIDRs []string `yaml:"transportInterfaceCIDRs,omitempty"` - // Multicast configuration options. - Multicast MulticastConfig `yaml:"multicast,omitempty"` + // The names of the interfaces on Nodes that are used to forward multicast traffic. + // Defaults to transport interface if not set. + MulticastInterfaces []string `yaml:"multicastInterfaces,omitempty"` // AntreaProxy contains AntreaProxy related configuration options. AntreaProxy AntreaProxyConfig `yaml:"antreaProxy,omitempty"` // Egress related configurations. @@ -236,15 +237,6 @@ type NodePortLocalConfig struct { PortRange string `yaml:"portRange,omitempty"` } -type MulticastConfig struct { - // The names of the interfaces on Nodes that are used to forward multicast traffic. - // Defaults to transport interface if not set. - MulticastInterfaces []string `yaml:"multicastInterfaces,omitempty"` - // The interval for antrea-agent to send IGMP queries to Pods. - // Defaults to 125 seconds. - IGMPQueryInterval string `yaml:"igmpQueryInterval"` -} - type EgressConfig struct { ExceptCIDRs []string `yaml:"exceptCIDRs,omitempty"` } diff --git a/test/e2e/framework.go b/test/e2e/framework.go index 0c626a767cc..688f470e67d 100644 --- a/test/e2e/framework.go +++ b/test/e2e/framework.go @@ -2082,7 +2082,7 @@ func (data *TestData) GetMulticastInterfaces(antreaNamespace string) ([]string, if err != nil { return []string{}, err } - return agentConf.Multicast.MulticastInterfaces, nil + return agentConf.MulticastInterfaces, nil } func GetTransportInterface(data *TestData) (string, error) {