Releases: antrea-io/antrea
Releases · antrea-io/antrea
Release v1.12.2
Changed
- Change the default flow's action to
drop
in ARPSpoofGuardTable to effectively prevent ARP spoofing. (#5378, @hongliangl) - Stop using
/bin/sh
and invoke the binary directly for OVS commands in Antrea Agent. (#5364, @antoninbas) - Increase the rate limit setting of
PacketInMeter
and the size ofPacketInQueue
. (#5460, @GraysonWu) - Revert a change to serve the v1alpha2 version of the ClusterGroup CRD again for the consistent API promotion plan. (#5277, @GraysonWu)
- Upgrade Open vSwitch to 2.17.7. (#5225, @antoninbas)
Fixed
- Fix an Antrea Controller crash issue in handling empty Pod labels for LabelIdentity when the config
enableStretchedNetworkPolicy
is enabled for Antrea Multi-cluster. (#5404 #5449, @Dyanngg) - Remove NetworkPolicyStats dependency of MulticastGroup API to fix the empty list issue when users run
kubectl get multicastgroups
even when the Multicast is enabled. (#5367, @ceclinux) - Do not attempt to join Windows agents to the memberlist cluster to avoid misleading error logs. (#5434, @tnqn)
- Fix the burst setting of the
PacketInQueue
to reduce the DNS response delay when a Pod has any FQDN policy applied. (#5456, @tnqn) - Use OpenFlow group for Network Policy logging to avoid packet drops when massive connections hit the policy. (#5061, @wenyingd)
Release v1.13.1
Changed
- Change the default flow's action to
drop
in ARPSpoofGuardTable to effectively prevent ARP spoofing. (#5378, @hongliangl) - Stop using
/bin/sh
and invoke the binary directly for OVS commands in Antrea Agent. (#5364, @antoninbas) - Increase the rate limit setting of
PacketInMeter
and the size ofPacketInQueue
. (#5460, @GraysonWu)
Fixed
- Fix an Antrea Controller crash issue in handling empty Pod labels for LabelIdentity when the config
enableStretchedNetworkPolicy
is enabled for Antrea Multi-cluster. (#5404 #5449, @Dyanngg) - Remove NetworkPolicyStats dependency of MulticastGroup API to fix the empty list issue when users run
kubectl get multicastgroups
even when the Multicast is enabled. (#5367, @ceclinux) - Fix a bug that ClusterSet status is not updated in Antrea Multi-cluster. (#5338, @luolanzone)
- Always initialize
ovs_meter_packet_dropped_count
metrics to fix a bug that the metrics are not showing up if OVS Meter is not supported on the system. (#5413, @tnqn) - Unify TCP and UDP DNS interception flows to fix invalid flow matching for DNS responses. (#5392, @GraysonWu)
- Fix an issue that antctl proxy is not using the user specified port. (#5435, @tnqn)
- Do not attempt to join Windows agents to the memberlist cluster to avoid misleading error logs. (#5434, @tnqn)
- Fix the burst setting of the
PacketInQueue
to reduce the DNS response delay when a Pod has any FQDN policy applied. (#5456, @tnqn)
Release v1.11.3
Changed
- Change the default flow's action to
drop
in ARPSpoofGuardTable to effectively prevent ARP spoofing. (#5378, @hongliangl) - Stop using
/bin/sh
and invoke the binary directly for OVS commands in Antrea Agent. (#5364, @antoninbas) - Increase the rate limit setting of
PacketInMeter
and the size ofPacketInQueue
. (#5460, @GraysonWu) - Upgrade Open vSwitch to 2.17.7. (#5225, @antoninbas)
Fixed
- Fix IPv4 groups containing IPv6 endpoints mistakenly in dual-stack clusters in AntreaProxy implementation. (#5194, @tnqn)
- Fix ClusterClaim webhook bug to avoid ClusterClaim deletion failure. (#5075, @luolanzone)
- Ensure the Egress IP is always correctly advertised to the network, including when the userspace ARP responder is not running or when the Egress IP is temporarily claimed by multiple Nodes. (#5127, @tnqn)
- Fix status report when no-op changes are applied to Antrea-native policies. (#5096, @tnqn)
- Bump up libOpenflow version to fix a PacketIn response parse error. (#5157, @wenyingd)
- Remove NetworkPolicyStats dependency of MulticastGroup API to fix the empty list issue when users run
kubectl get multicastgroups
even when the Multicast is enabled. (#5367, @ceclinux) - Fix an Antrea Controller crash issue in handling empty Pod labels for LabelIdentity when the config
enableStretchedNetworkPolicy
is enabled for Antrea Multi-cluster. (#5404 #5449, @Dyanngg) - Do not attempt to join Windows agents to the memberlist cluster to avoid misleading error logs. (#5434, @tnqn)
- Fix the burst setting of the
PacketInQueue
to reduce the DNS response delay when a Pod has any FQDN policy applied. (#5456, @tnqn)
Release v1.13.0
Added
- Add AdminNetworkPolicy support in Antrea to align with K8s NetworkPolicy API, and document the introduction and usage. (#5170 #5270, [@Dyanngg])
- Support DSR mode for Service's external addresses in AntreaProxy, including LoadBalancerIPs and ExternalIPs. (#5202 #5251, [@tnqn])
- Containerize Windows userspace OVS processes and run them in a container of the Antrea Agent Pod to align with the Linux design. (#4936 #5052 #5303, [@rajnkamr] @Atish-iaf)
- Add a new option
ContainerRuntime
to allow users to configure the container runtime while using the scriptPrepare-Node.ps1
on K8s Windows Node. (#5071, [@NamanAg30]) - Add support for TLS, HTTP, and HTTPS protocols for FlowAggregator to connect to the ClickHouse DB, and allow users to specify the CA certificate for TLS and HTTPS. (#5171, [@yuntanghsu])
- Enhance Antrea L7 NetworkPolicy to support the TLS protocol. (#4932, [@hongliangl])
- Add command
antctl upgrade api-storage
in antctl to support resource storage version migration for Antrea CRDs. (#5198, [@hongliangl]) - Add support for removing the associated stale conntrack entries when UDP Endpoints are removed, with which UDP requests can be redirected to other Endpoints immediately rather than waiting for the conntrack entries to expire. (#5112, [@hongliangl])
- Add Egress information to flow records for Pod-to-external flows in FlowExporter. (#5088, [@dreamtalen])
- Increase accuracy of Pod information in the flow records by adding a Pod store in FlowExporter and FlowAggregator for them to fetch the Pod information. (#5185, [@yuntanghsu])
- Add support for Service annotation
service.kubernetes.io/topology-mode
in AntreaProxy since the oldservice.kubernetes.io/topology-aware-hints
annotation has been deprecated in Kubernetes 1.27. (#5241, [@mengdie-song]) - Support the well-known label
service.kubernetes.io/service-proxy-name
in AntreaProxy to align with KEP 2447. (#4973, [@hongliangl]) - Add a new Prometheus metric to represent the number of packets dropped by OVS meter. (#5165, [@mengdie-song])
- Add support for the
sort-by
flag in moreantctl get
commands for more fields. (#4346, [@jainpulkit22]) - Add the
kubeAPIServerOverride
option to allow users to override the kube-apiserver address for antrea-controller. (#5056, [@tnqn]) - Add documentation for deploying Antrea with a Rancher cluster. (#4733, [@jainpulkit22])
Changed
- Multiple APIs are promoted from alpha to beta. The alpha versions are deprecated and will be removed in a future release.
- Promote ClusterGroup and Group to v1beta1. (#5181, [@GraysonWu])
- Promote ExternalIPPool API to v1beta1. (#5176, [@hongliangl])
- Promote Tier API to v1beta1. (#5172, [@GraysonWu])
- Promote Egress API to v1beta1. (#5180, [@wenqiq])
- Promote AntreaClusterNetworkPolicy and AntreaNativeNetworkPolicy API to v1beta1. (#5186, [@GraysonWu])
- Promote Traceflow API to v1beta1. (#5108, [@luolanzone])
- Add a validation schema for the matchLabels field of the ExternalIPPool CRD. (#5284, [@tnqn])
- Enable
proxyAll
by default for AntreaProxy on Windows because the kube-proxy userspace datapath has been removed since Kubernetes 1.26. (#4980, [@XinShuYang]) - Change default port range of NodePortLocal on Windows to
40000-41000
to avoid conflicts with the Windows default dynamic port range. (#5107, [@XinShuYang]) - Remove the ClusterClaim CRD and upgrade the ClusterSet CRD version to v1alpha2, and enhance the ClusterSet controller to support ClusterSet version upgrade. (#5001 #5250, [@luolanzone])
- Increase the controller QPS setting in Multi-cluster Controller to improve multi-cluster resource export performance, and increase the LabelIdentity controller worker count to improve its performance. (#5099, [@GraysonWu])
- Improve direct connections to the Antrea apiserver in antctl with accessibility to Node ExternalIP and add a new
--insecure
option to support both secure and insecure connections. (#5135, [@antoninbas]) - Add two new fields to audit logs, including the "direction" of the NP rule (Ingress or Egress) and the reference of the Pod (
<Namespace>/<Name>
) to which the NP rule is applied. (#5101, [@antoninbas]) - Add a FlowExporter configuration toggle to antrea-agent for users to explicitly enable/disable flow exports. (#5021, [@yuntanghsu])
- Add OpenAPI schema for the AntreaAgentInfo and AntreaControllerInfo CRDs. (#5206, [@ceclinux])
- Update short-name for AntreaNetworkPolicy to ANNP. (#5081, [@qiyueyao])
- Use syscall to query or operate network adapters on Windows to reduce operation delay. (#4898, [@wenyingd] [@qiyueyao])
- Update out-of-date audit logs docs for new log fields. (#5199, [@cr7258])
- Switched to structured logging and change verbosity of potentially misleading Info log in the Antrea NetworkPolicy reconciler. (#5048, [@antoninbas])
- Revert a change to serve the v1alpha2 version of the ClusterGroup CRD again for the consistent API promotion plan. (#5277, [@GraysonWu])
- Upgrade Open vSwitch to version 2.17.7. (#5225, [@antoninbas])
- Upgrade Windows Open vSwitch to version 3.0.5. (#5120, [@wenyingd])
- Upgrade ClickHouse go client to v2. (#5020, [@heanlan])
- Remove Antrea Octant plugin. (#5049, [@antoninbas])
Fixed
- Bump up
libOpenflow
andofnet
library versions to fix a PacketIn2 response parse error. (#5154, [@wenyingd]) - Bump up
libOpenflow
library to v0.12.1 to fix an antrea-agent crash issue when marshaling the IGMPv3 query packet. (#5320, [@ceclinux]) - Use OpenFlow group for Network Policy logging to avoid packet drops when massive connections hit the policy. (#5061, [@wenyingd])
- Fix an issue in Antrea-native policies with FQDN rules where TCP src port is unset on the TCP DNS response flow. (#5078, [@wenyingd])
- Fix status report when no-op changes are applied to Antrea-native policies. (#5096, [@tnqn])
- Ensure the Egress IP is always correctly advertised to the network, including when the userspace ARP responder is not running or when the Egress IP is temporarily claimed by multiple Nodes. (#5127, [@tnqn])
- Fix incorrect FlowMod message passing in the modifyFlows function of the OpenFlow client to avoid unexpected flow error. (#5125, [@Dyanngg])
- Fix a bug that antrea-agent fails to delete the ExternalNode CR when it runs on a RHEL 8.4 VM on Azure cloud. (#5191, [@wenyingd])
- Fix IPv4 groups containing IPv6 endpoints mistakenly in dual-stack clusters in AntreaProxy implementation. (#5194, [@tnqn])
- Fix RBAC permissions for the Antctl ClusterRole to ensure the ClusterRole definition is up-to-date. (#5166, [@antoninbas])
- Fix some code examples in a few documentations. (#5182, [@tnqn])
- Add apiVersion and kind for unstructured objects in
antctl mc
codes to fix a rollback failure. (#5138, [@luolanzone]) - Fix a ClusterClaim webhook bug that can lead to ClusterClaim deletion failures. (#5075, [@luolanzone])
- Revise "antctl mc deploy" command to fix a Multi-cluster deployment failure on EKS clusters. (#5080, [@luolanzone])
Release v1.12.1
Fixed
- Bump up libOpenflow and ofnet versions to fix a PacketIn2 response parse error. (#5154, @wenyingd)
- Fix incorrect FlowMod message passing in the
modifyFlows
function of the OpenFlow client to avoid unexpected flow error. (#5125, @Dyanngg) - Ensure the Egress IP is always correctly advertised to the network, including when the userspace ARP responder is not running or when the Egress IP is temporarily claimed by multiple Nodes. (#5127, @tnqn)
- Fix ClusterClaim webhook bug to avoid ClusterClaim deletion failure. (#5075, @luolanzone)
- Fix an issue in ANP with FQDN rules where TCP src port is unset on the TCP DNS response flow. (#5078, @wenyingd)
- Fix status report when no-op changes are applied to Antrea-native policies. (#5096, @tnqn)
- Fix IPv4 groups containing IPv6 endpoints mistakenly in dual-stack clusters in AntreaProxy implementation. (#5194, @tnqn)
Release v1.11.2
Changed
Fixed
- In Antrea Agent Service CIDR discovery, prevent headless Services from updating the discovered Service CIDR to avoid overwriting the default route of host network unexpectedly. (#5008, @hongliangl)
- Use LOCAL instead of CONTROLLER as the in_port of packet-out messages to fix a Windows agent crash issue. (#4992, @tnqn)
- Fix a bug that a deleted NetworkPolicy is still enforced when a new NetworkPolicy with the same name exists. (#4986, @tnqn)
- Improve Windows cleanup scripts to avoid unexpected failures. (#4722, @wenyingd)
- Fix a race condition between stale controller and ResourceImport reconcilers in Antrea Multi-cluster controller. (#4853, @Dyanngg)
- Make FQDN NetworkPolicy work for upper case FQDNs. (#4934, @GraysonWu)
- Run agent modules that rely on Services access after AntreaProxy is ready to fix a Windows agent crash issue. (#4946, @tnqn)
- Fix the Antrea Agent crash issue which is caused by a concurrency bug in Multicast feature with encap mode. (#4903, @ceclinux)
Release v1.10.1
Changed
- Decrease log verbosity value for antrea-agent specified in the Windows manifest for containerd from 4 to 0. (#4676, @XinShuYang)
- Ensure cni folders are created when starting antrea-agent with containerd on Windows. (#4685, @XinShuYang)
- Document the limit of maximum receiver group number on a Linux Node for multicast. (#4850, @ceclinux)
- Update Open vSwitch to 2.17.6 (#4959, @tnqn)
- Bump up whereabouts to v0.6.1. (#4988, @hjiajing)
Fixed
- Ensure NO_FLOOD is always set for IPsec tunnel ports and TrafficControl ports. (#4419 #4654 #4674, @xliuxu @tnqn)
- Fix Service routes being deleted on Agent startup on Windows. (#4470, @hongliangl)
- Fix route deletion for Service ClusterIP and LoadBalancerIP when AntreaProxy is enabled. (#4711, @tnqn)
- Fix OpenFlow Group being reused with wrong type because groupDb cache was not cleaned up. (#4592, @ceclinux)
- Fix antctl not being able to talk with GCP kube-apiserver due to missing platforms specific imports. (#4494, @luolanzone)
- Fix Agent crash in dual-stack clusters when any Node is not configured with an IP address for each address family. (#4480, @hongliangl)
- Fix Service not being updated correctly when stickyMaxAgeSeconds or InternalTrafficPolicy is updated. (#4845, @tnqn)
- Fix the Antrea Agent crash issue when large amount of multicast receivers with different multicast IPs on one Node start together. (#4870, @ceclinux)
- Fix the Antrea Agent crash issue which is caused by a concurrency bug in Multicast feature with encap mode. (#4903, @ceclinux)
- Fix the Antrea Agent crash issue on Windows by running modules that rely on Services after AntreaProxy is ready. (#4946, @tnqn)
- Make FQDN NetworkPolicy work for upper case DNS. (#4934, @GraysonWu)
- Fix a bug that a deleted NetworkPolicy is still enforced when a new NetworkPolicy with the same name exists. (#4986, @tnqn)
- Fix a race condition between stale controller and ResourceImport reconcilers in Antrea Multi-cluster controller. (#4853, @Dyanngg)
- Recover ovsdb-server and ovs-vswitched service if they do not exist when running the Windows cleanup script. (#4722, @wenyingd)
Release v1.12.0
The Multicast, TopologyAwareHints, and NodeIPAM features are graduated from Alpha to Beta. The TopologyAwareHints, NodeIPAM features are enabled by default. Multicast can be enabled with a new Antrea Agent configuration parameter: multicast.enable
.
Added
- Add two new fields
sourcePort
andsourceEndPort
in Antrea-native policy API to match traffic initiated from specific ports. (#4687, @Dyanngg) - Add a new field
logLabel
to Antrea-native policy CRDs; the user-provided label is added to audit logs. (#4748, @qiyueyao) - Add Antrea Controller API for querying Antrea Groups and ClusterGroups by IP addresses. (#4807, @Dyanngg)
- Add a new Antrea Controller configuration
clientCAFile
to allow user to specify client CA. (#4664, @wenyingd) - Add support for ExternalIP in AntreaProxy to allow a Service to be accessed from outside the cluster using an external IP address. (#4866, @hongliangl)
- Add WireGuard tunnel mode for Antrea Multi-cluster to support encryption of the traffic between member clusters. (#4737 #4606 #4848, @hjiajing)
- Refer to Antrea Multi-cluster user guide for more informantion about this feature.
- Add support for EndpointSlice API for Multi-cluster Services. When the EndpointSlice API is available for the cluster, EndpointSlice resources of the exported Service, rather than the Endpoints resource, will be processed. (#4895, @luolanzone)
- Add a new exporter to FlowAggregator to write flows to a local file. (#4855, @antoninbas)
- Add openEuler 22.03 as a new supported OS of Antrea, and update the Kubernetes installer document with the information. (#4957, @ceclinux)
Changed
- Deprecate Antrea Octant Plugin; it is replaced by a dedicated Antrea UI. (#4825, @antoninbas)
- Update Open vSwitch version to 2.17.6. (#4959, @tnqn)
- Update Windows OVS version to 2.16.7. (#4705, @XinShuYang)
- Add
status.egressIP
field for Egress to represent the effective Egress IP. (#4603, @tnqn) - Add a new
Failed
phase in ANP status for the case when all Agents have reported the status and at least one failure is received. (#4608, @wenyingd) - Check the existence of AntreaAgentInfo CRD before operating on it for worker Node or ExternalNode. (#4762, @wenyingd)
- Stop serving v1alpha2 version of the ClusterGroup CRD. (#4812, @antoninbas)
- Optimize the cached flows in Antrea Agent to reduce Agent memory usage. (#4495, @wenyingd)
- Replace PacketIn/Controller with PacketIn2/Controller2 to improve packetin handler. (#4768, @GraysonWu)
- Change to look up Pods by name instead of IP address to fetch labels in Flow Aggregator, to avoid obtaining incorrect Pods when Pod turnover is high. (#4942, @dreamtalen)
- Do not export Services of type ExternalName in Antrea Multi-cluster; this is consistent with the upstream Multi-cluster Service KEP. (#4814, @luolanzone)
- Update Multi-cluster user guide to provide more details for Gateway enablement. (#4889, @luolanzone)
- Update documentation for recent MetalLB versions. (#4803, @antoninbas)
- Add support for short-circuiting in AntreaProxy to ensure that the traffic from Pod/Node clients to
external addresses behaves the same way as the traffic from external clients to external addresses. (#4815, @hongliangl) - Add OVS table name as label for
ovs_flow_count
Prometheus metrics. (#4893, @cr7258) - Make IGMP query versions configurable for Antrea Multicast. (#4876, @ceclinux)
- Document the limit of maximum receiver group number on a Linux Node for Antrea Multicast. (#4850, @ceclinux)
- Upgrade K8s libraries to v0.26.4. (#4935, @heanlan)
- Bump up whereabouts to v0.6.1. (#4988, @hjiajing)
Fixed
- Unify AntreaProxy behavior across Linux and Windows. Windows agents now configure only a single route for all Service ClusterIPs and can restore routes after they are deleted by accident. (#3889, @hongliangl)
- Use LOCAL instead of CONTROLLER as the in_port of packet-out messages to fix a Windows agent crash issue. (#4992, @tnqn)
- Run agent modules that rely on Services access after AntreaProxy is ready to fix a Windows agent crash issue. (#4946, @tnqn)
- Improve Windows cleanup scripts to avoid unexpected failures. (#4722 #5013, @wenyingd)
- Fix a bug that a deleted NetworkPolicy is still enforced when a new NetworkPolicy with the same name exists. (#4986, @tnqn)
- Make FQDN NetworkPolicy work for upper case FQDNs. (#4934, @GraysonWu)
- Fix a bug that K8s Networkpolicy audit logging doesn't work for Service access. (#4780, @qiyueyao)
- Fix Service not being updated correctly when stickyMaxAgeSeconds or InternalTrafficPolicy is updated. (#4845, @tnqn)
- Fix EndpointSlice API availablility check to resolve the issue that AntreaProxy always falls back to the Endpoints API when EndpointSlice is enabled. (#4852, @tnqn)
- In Antrea Agent Service CIDR discovery, prevent headless Services from updating the discovered Service CIDR to avoid overwriting the default route of host network unexpectedly. (#5008, @hongliangl)
- Fix the Antrea Agent crash issue when a large amount of multicast receivers with different multicast IPs on one Node start together. (#4870, @ceclinux)
- Fix the Antrea Agent crash issue which is caused by a concurrency bug in Multicast feature with encap mode. (#4903, @ceclinux)
- Use a random port when the UDP source port in a Traceflow is 0. (#4963, @gran-vmv)
- Set default flag to 2 for TCP Traceflow to fix a Traceflow timeout issue when the flag is not provided. (#4948, @luolanzone)
- Fix concurrent map write bug for LabelIdentity controller in Antrea Multi-cluster. (#4994, @Dyanngg)
- Fix a race condition between stale controller and ResourceImport reconcilers in Antrea Multi-cluster controller. (#4853, @Dyanngg)
- Bump up Suricata to 6.0.12 to fix a L7 NetworkPolicy issue. (#4968, @xliuxu)
- Fix discovered Service CIDR flapping on Agent start. (#5017, @tnqn)
Release v1.11.1
Changed
- Document the limit of maximum receiver group number on a Linux Node for multicast. (#4850, @ceclinux)
Fixed
- Fix Service not being updated correctly when stickyMaxAgeSeconds or InternalTrafficPolicy is updated. (#4845, @tnqn)
- Fix EndpointSlice API availablility check to resolve the issue that AntreaProxy always falls back to the Endpoints API when EndpointSlice is enabled (#4852, @tnqn)
- Fix the Antrea Agent crash issue when large amount of multicast receivers with different multicast IPs on one Node start together.(#4870, @ceclinux)
Release v1.9.1
Changed
- Upgrade Antrea base image to ubuntu:22.04. (#4459 #4499, @antoninbas)
Fixed
- Ensure NO_FLOOD is always set for IPsec tunnel ports and TrafficControl ports. (#4419 #4654 #4674, @xliuxu @tnqn)
- Fix Service routes being deleted on Agent startup on Windows. (#4470, @hongliangl)
- Fix route deletion for Service ClusterIP and LoadBalancerIP when AntreaProxy is enabled. (#4711, @tnqn)
- Fix OpenFlow Group being reused with wrong type because groupDb cache was not cleaned up. (#4592, @ceclinux)
- Add a periodic job to rejoin dead Nodes to fix Egress not working properly after long network downtime. (#4491, @tnqn)
- Fix Agent crash in dual-stack clusters when any Node is not configured with an IP address for each address family. (#4480, @hongliangl)
- Fix potential deadlocks and memory leaks of memberlist maintenance in large-scale clusters. (#4469, @wenyingd)
- Fix connectivity issues caused by MAC address changes with systemd v242 and later. (#4428, @wenyingd)
- Fix a ClusterInfo export bug when Multi-cluster Gateway changes. (#4412, @luolanzone)
- Fix OpenFlow rules not being updated when Multi-cluster Gateway updates. (#4388, @luolanzone)
- Set no-flood config with ports for TrafficControl after Agent restarting. (#4318, @hongliangl)