Merge pull request #4110 from antrea-io/feature/externalnode

Supports running Antrea Agent on a virtual machine or a bare-metal server which is not a Kubernetes Node, and enforcing Antrea NetworkPolicy for the VM/BM.
antrea-io · Aug 15, 2022 · 65b62cc · 65b62cc
2 parents 39b0eb5 + e73b3c3
commit 65b62cc
Show file tree

Hide file tree

Showing 97 changed files with 7,890 additions and 829 deletions.
diff --git a/build/charts/antrea/README.md b/build/charts/antrea/README.md
@@ -54,6 +54,7 @@ Kubernetes: `>= 1.16.0-0`
 | controller.antreaController.logFileMaxNum | int | `4` | Max number of log files. |
 | controller.antreaController.logFileMaxSize | int | `100` | Max size in MBs of any single log file. |
 | controller.antreaController.resources | object | `{"requests":{"cpu":"200m"}}` | Resource requests and limits for the antrea-controller container. |
+| controller.apiNodePort | int | `0` | NodePort for the antrea-controller APIServer to server on. |
 | controller.apiPort | int | `10349` | Port for the antrea-controller APIServer to serve on. |
 | controller.enablePrometheusMetrics | bool | `true` | Enable metrics exposure via Prometheus. |
 | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for the antrea-controller Pod. |

diff --git a/build/charts/antrea/conf/antrea-controller.conf b/build/charts/antrea/conf/antrea-controller.conf
@@ -37,6 +37,9 @@ featureGates:
 # Enable certificated-based authentication for IPsec.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "IPsecCertAuth" "default" false) }}
 
+# Enable managing ExternalNode for unmanaged VM/BM.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "ExternalNode" "default" false) }}
+
 # The port for the antrea-controller APIServer to serve on.
 # Note that if it's set to another value, the `containerPort` of the `api` port of the
 # `antrea-controller` container must be set to the same value.

diff --git a/build/charts/antrea/crds/externalnode.yaml b/build/charts/antrea/crds/externalnode.yaml
@@ -0,0 +1,49 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    app: antrea
+  name: externalnodes.crd.antrea.io
+spec:
+  group: crd.antrea.io
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          type: object
+          required:
+            - spec
+          properties:
+            spec:
+              type: object
+              required:
+                - interfaces
+              properties:
+                interfaces:
+                  type: array
+                  minItems: 1
+                  maxItems: 1
+                  required:
+                    - ips
+                  items:
+                    type: object
+                    properties:
+                      ips:
+                        type: array
+                        minItems: 1
+                        items:
+                          type: string
+                          oneOf:
+                            - format: ipv4
+                            - format: ipv6
+                      name:
+                        type: string
+      served: true
+      storage: true
+  scope: Namespaced
+  names:
+    kind: ExternalNode
+    plural: externalnodes
+    shortNames:
+      - en
+    singular: externalnode
diff --git a/build/charts/antrea/crds/networkpolicy.yaml b/build/charts/antrea/crds/networkpolicy.yaml
@@ -57,6 +57,30 @@ spec:
                     type: object
                     # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field
                     properties:
+                      externalEntitySelector:
+                        type: object
+                        properties:
+                          matchExpressions:
+                            type: array
+                            items:
+                              type: object
+                              properties:
+                                key:
+                                  type: string
+                                operator:
+                                  enum:
+                                    - In
+                                    - NotIn
+                                    - Exists
+                                    - DoesNotExist
+                                  type: string
+                                values:
+                                  type: array
+                                  items:
+                                    type: string
+                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+                          matchLabels:
+                            x-kubernetes-preserve-unknown-fields: true
                       podSelector:
                         type: object
                         properties:

diff --git a/build/charts/antrea/templates/agent/clusterrole.yaml b/build/charts/antrea/templates/agent/clusterrole.yaml
@@ -57,9 +57,7 @@ rules:
       - antreaagentinfos
     verbs:
       - get
-      - create
       - update
-      - delete
   - apiGroups:
       - controlplane.antrea.io
     resources:

diff --git a/build/charts/antrea/templates/controller/clusterrole.yaml b/build/charts/antrea/templates/controller/clusterrole.yaml
@@ -179,6 +179,7 @@ rules:
       - antreaagentinfos
     verbs:
       - list
+      - create
       - delete
   - apiGroups:
       - crd.antrea.io
@@ -273,6 +274,14 @@ rules:
     verbs:
       - update
       - patch
+  - apiGroups:
+      - crd.antrea.io
+    resources:
+      - externalnodes
+    verbs:
+      - get
+      - watch
+      - list
   - apiGroups:
       - apps
     resources:

diff --git a/build/charts/antrea/templates/controller/service.yaml b/build/charts/antrea/templates/controller/service.yaml
@@ -6,10 +6,16 @@ metadata:
   labels:
     app: antrea
 spec:
+  {{- if .Values.controller.apiNodePort }}
+  type: NodePort
+  {{- end }}
   ports:
     - port: 443
       protocol: TCP
       targetPort: api
+      {{- if .Values.controller.apiNodePort }}
+      nodePort: {{ .Values.controller.apiNodePort }}
+      {{- end }}
   selector:
     app: antrea
     component: antrea-controller
diff --git a/build/charts/antrea/templates/webhooks/validating/crdvalidator.yaml b/build/charts/antrea/templates/webhooks/validating/crdvalidator.yaml
@@ -124,4 +124,4 @@ webhooks:
         scope: "Cluster"
     admissionReviewVersions: ["v1", "v1beta1"]
     sideEffects: None
-    timeoutSeconds: 5
+    timeoutSeconds: 5
diff --git a/build/charts/antrea/values.yaml b/build/charts/antrea/values.yaml
@@ -211,6 +211,8 @@ agent:
 controller:
   # -- Port for the antrea-controller APIServer to serve on.
   apiPort: 10349
+  # -- NodePort for the antrea-controller APIServer to server on.
+  apiNodePort: 0
   # -- Enable metrics exposure via Prometheus.
   enablePrometheusMetrics: true
   # -- Annotations to be added to antrea-controller Pod.

diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -1302,6 +1302,57 @@ spec:
       - eip
 
 ---
+# Source: crds/externalnode.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    app: antrea
+  name: externalnodes.crd.antrea.io
+spec:
+  group: crd.antrea.io
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          type: object
+          required:
+            - spec
+          properties:
+            spec:
+              type: object
+              required:
+                - interfaces
+              properties:
+                interfaces:
+                  type: array
+                  minItems: 1
+                  maxItems: 1
+                  required:
+                    - ips
+                  items:
+                    type: object
+                    properties:
+                      ips:
+                        type: array
+                        minItems: 1
+                        items:
+                          type: string
+                          oneOf:
+                            - format: ipv4
+                            - format: ipv6
+                      name:
+                        type: string
+      served: true
+      storage: true
+  scope: Namespaced
+  names:
+    kind: ExternalNode
+    plural: externalnodes
+    shortNames:
+      - en
+    singular: externalnode
+---
 # Source: crds/ippool.yaml
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
@@ -1496,6 +1547,30 @@ spec:
                     type: object
                     # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field
                     properties:
+                      externalEntitySelector:
+                        type: object
+                        properties:
+                          matchExpressions:
+                            type: array
+                            items:
+                              type: object
+                              properties:
+                                key:
+                                  type: string
+                                operator:
+                                  enum:
+                                    - In
+                                    - NotIn
+                                    - Exists
+                                    - DoesNotExist
+                                  type: string
+                                values:
+                                  type: array
+                                  items:
+                                    type: string
+                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+                          matchLabels:
+                            x-kubernetes-preserve-unknown-fields: true
                       podSelector:
                         type: object
                         properties:
@@ -2976,6 +3051,9 @@ data:
     # Enable certificated-based authentication for IPsec.
     #  IPsecCertAuth: false
 
+    # Enable managing ExternalNode for unmanaged VM/BM.
+    #  ExternalNode: false
+
     # The port for the antrea-controller APIServer to serve on.
     # Note that if it's set to another value, the `containerPort` of the `api` port of the
     # `antrea-controller` container must be set to the same value.
@@ -3222,9 +3300,7 @@ rules:
       - antreaagentinfos
     verbs:
       - get
-      - create
       - update
-      - delete
   - apiGroups:
       - controlplane.antrea.io
     resources:
@@ -3630,6 +3706,7 @@ rules:
       - antreaagentinfos
     verbs:
       - list
+      - create
       - delete
   - apiGroups:
       - crd.antrea.io
@@ -3724,6 +3801,14 @@ rules:
     verbs:
       - update
       - patch
+  - apiGroups:
+      - crd.antrea.io
+    resources:
+      - externalnodes
+    verbs:
+      - get
+      - watch
+      - list
   - apiGroups:
       - apps
     resources:
@@ -3909,7 +3994,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 814300ca95f9d7451131665ebed709cb7639deec890e2ff5ae4c357ae9b00c41
+        checksum/config: 10aaed69b06e12d9e08fec773f3164817261a1ee026566721b4013f7e614bcbd
       labels:
         app: antrea
         component: antrea-agent
@@ -4150,7 +4235,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 814300ca95f9d7451131665ebed709cb7639deec890e2ff5ae4c357ae9b00c41
+        checksum/config: 10aaed69b06e12d9e08fec773f3164817261a1ee026566721b4013f7e614bcbd
       labels:
         app: antrea
         component: antrea-controller