/
antrea-agent.conf
375 lines (320 loc) · 20.7 KB
/
antrea-agent.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
# FeatureGates is a map of feature names to bools that enable or disable experimental features.
featureGates:
# AllAlpha is a global toggle for alpha features. Per-feature key values override the default set by AllAlpha.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AllAlpha" "default" false) }}
# AllBeta is a global toggle for beta features. Per-feature key values override the default set by AllBeta.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AllBeta" "default" false) }}
# Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent.
# It should be enabled on Windows, otherwise NetworkPolicy will not take effect on
# Service traffic.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AntreaProxy" "default" true) }}
# Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice
# API version v1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled,
# this flag will not take effect.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "EndpointSlice" "default" true) }}
# Enable TopologyAwareHints in AntreaProxy. This requires AntreaProxy and EndpointSlice to be
# enabled, otherwise this flag will not take effect.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "TopologyAwareHints" "default" false) }}
# Enable traceflow which provides packet tracing feature to diagnose network issue.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Traceflow" "default" true) }}
# Enable NodePortLocal feature to make the Pods reachable externally through NodePort
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "NodePortLocal" "default" true) }}
# Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
# to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
# feature that supports priorities, rule actions and externalEntities in the future.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AntreaPolicy" "default" true) }}
# Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each
# agent to a configured collector.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "FlowExporter" "default" false) }}
# Enable collecting and exposing NetworkPolicy statistics.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "NetworkPolicyStats" "default" true) }}
# Enable controlling SNAT IPs of Pod egress traffic.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Egress" "default" true) }}
# Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the
# bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for
# IPAM when configuring secondary network interfaces with Multus.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AntreaIPAM" "default" false) }}
# Enable multicast traffic.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Multicast" "default" false) }}
# Enable Antrea Multi-cluster features.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Multicluster" "default" false) }}
# Enable support for provisioning secondary network interfaces for Pods (using
# Pod annotations). At the moment, Antrea can only create secondary network
# interfaces using SR-IOV VFs on baremetal Nodes.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "SecondaryNetwork" "default" false) }}
# Enable managing external IPs of Services of LoadBalancer type.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "ServiceExternalIP" "default" false) }}
# Enable mirroring or redirecting the traffic Pods send or receive.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "TrafficControl" "default" false) }}
# Enable certificated-based authentication for IPsec.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "IPsecCertAuth" "default" false) }}
# Enable collecting support bundle files with SupportBundleCollection CRD.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "SupportBundleCollection" "default" false) }}
# Enable users to protect their applications by specifying how they are allowed to communicate with others, taking
# into account application context.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "L7NetworkPolicy" "default" false) }}
# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
ovsBridge: {{ .Values.ovs.bridgeName | quote }}
# Datapath type to use for the OpenVSwitch bridge created by Antrea. At the moment, the only
# supported value is 'system', which corresponds to the kernel datapath.
#ovsDatapathType: system
# Name of the interface antrea-agent will create and use for host <--> pod communication.
# Make sure it doesn't conflict with your existing interfaces.
hostGateway: {{ .Values.hostGateway | quote }}
# Determines how traffic is encapsulated. It has the following options:
# encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network
# traffic is SNAT'd.
# noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is
# SNAT'd if noSNAT is not set to true. Underlying network must be capable of
# supporting Pod traffic across IP subnets.
# hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap.
# networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod
# IPAM and connectivity to the primary CNI.
#
trafficEncapMode: {{ .Values.trafficEncapMode | quote }}
# Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network.
# This option is for the noEncap traffic mode only, and the default value is false. In the noEncap
# mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to
# the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never
# performs SNAT and this option will be ignored; for other modes it must be set to false.
noSNAT: {{ .Values.noSNAT }}
# Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode,
# this option will not take effect. Supported values:
# - geneve (default)
# - vxlan
# - gre
# - stt
# Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters).
tunnelType: {{ .Values.tunnelType | quote }}
# TunnelPort is the destination port for UDP and TCP based tunnel protocols (Geneve, VXLAN, and STT).
# If zero, it will use the assigned IANA port for the protocol, i.e. 6081 for Geneve, 4789 for VXLAN,
# and 7471 for STT.
tunnelPort: {{ .Values.tunnelPort }}
# TunnelCsum determines whether to compute UDP encapsulation header (Geneve or VXLAN) checksums on outgoing
# packets. For Linux kernel before Mar 2021, UDP checksum must be present to trigger GRO on the receiver for better
# performance of Geneve and VXLAN tunnels. The issue has been fixed by
# https://github.com/torvalds/linux/commit/89e5c58fc1e2857ccdaae506fb8bc5fed57ee063, thus computing UDP checksum is
# no longer necessary.
# It should only be set to true when you are using an unpatched Linux kernel and observing poor transfer performance.
tunnelCsum: {{ .Values.tunnelCsum }}
# Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode.
# It has the following options:
# - none (default): Inter-node Pod traffic will not be encrypted.
# - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses
# Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled,
# the PSK value must be passed to Antrea Agent through an environment
# variable: ANTREA_IPSEC_PSK.
# - wireGuard: Enable WireGuard for tunnel traffic encryption.
trafficEncryptionMode: {{ .Values.trafficEncryptionMode | quote }}
# Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected
# to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are
# allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the
# underlay network.
# This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only
# IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`,
# `trafficEncapMode` is `noEncap`, and `noSNAT` is true.
enableBridgingMode: {{ .Values.enableBridgingMode }}
# Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the
# datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum.
# It affects Pods running on Linux Nodes only.
disableTXChecksumOffload: {{ .Values.disableTXChecksumOffload }}
# Default MTU to use for the host gateway interface and the network interface of each Pod.
# If omitted, antrea-agent will discover the MTU of the Node's primary interface and
# also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
defaultMTU: {{ .Values.defaultMTU }}
# wireGuard specifies WireGuard related configurations.
wireGuard:
{{- with .Values.wireGuard }}
# The port for WireGuard to receive traffic.
port: {{ .port }}
{{- end }}
egress:
{{- with .Values.egress }}
# exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses.
exceptCIDRs:
{{- with .exceptCIDRs }}
{{- toYaml . | nindent 4 }}
{{- end }}
# The maximum number of Egress IPs that can be assigned to a Node. It's useful when the Node network restricts
# the number of secondary IPs a Node can have, e.g. EKS. It must not be greater than 255.
maxEgressIPsPerNode: {{ .maxEgressIPsPerNode }}
{{- end }}
# ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
# set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
# AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
serviceCIDR: {{ .Values.serviceCIDR | quote }}
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
# --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
# No default value for this field.
serviceCIDRv6: {{ .Values.serviceCIDRv6 | quote }}
# The port for the antrea-agent APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-agent` container must be set to the same value.
apiPort: {{ .Values.agent.apiPort }}
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
enablePrometheusMetrics: {{ .Values.agent.enablePrometheusMetrics }}
# Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
# HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
# using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
# wrapped with []. When the collector is running in-cluster as a Service, set
# <HOST> to <Service namespace>/<Service name>. For example,
# "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea
# Flow Aggregator Service.
# If PORT is empty, we default to 4739, the standard IPFIX port.
# If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
# "udp" protocols. "tls" is used for securing communication between flow exporter and
# flow aggregator.
flowCollectorAddr: {{ .Values.flowCollector.collectorAddr | quote }}
# Provide flow poll interval as a duration string. This determines how often the
# flow exporter dumps connections from the conntrack module. Flow poll interval
# should be greater than or equal to 1s (one second).
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
flowPollInterval: {{ .Values.flowCollector.flowPollInterval | quote }}
# Provide the active flow export timeout, which is the timeout after which a flow
# record is sent to the collector for active flows. Thus, for flows with a continuous
# stream of packets, a flow record will be exported to the collector once the elapsed
# time since the last export event is equal to the value of this timeout.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
activeFlowExportTimeout: {{ .Values.flowCollector.activeFlowExportTimeout | quote }}
# Provide the idle flow export timeout, which is the timeout after which a flow
# record is sent to the collector for idle flows. A flow is considered idle if no
# packet matching this flow has been observed since the last export event.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
idleFlowExportTimeout: {{ .Values.flowCollector.idleFlowExportTimeout | quote }}
nodePortLocal:
{{- with .Values.nodePortLocal }}
# Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
# enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
# gate is also enabled (which is the default).
enable: {{ .enable }}
# Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
# from that range will be assigned whenever a Pod's container defines a specific port to be exposed
# (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic
# directed to that port will be forwarded to the Pod.
portRange: {{ .portRange | quote }}
{{- end }}
# Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
# Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
kubeAPIServerOverride: {{ .Values.kubeAPIServerOverride | quote }}
# Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
# Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
# [fd00:10:96::a]:53).
dnsServerOverride: {{ .Values.dnsServerOverride | quote }}
# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
# https://golang.org/pkg/crypto/tls/#pkg-constants
# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
# prefer TLS1.3 Cipher Suites whenever possible.
tlsCipherSuites: {{ .Values.tlsCipherSuites | quote }}
# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
tlsMinVersion: {{ .Values.tlsMinVersion | quote }}
# The name of the interface on Node which is used for tunneling or routing the traffic across Nodes.
# If there are multiple IP addresses configured on the interface, the first one is used. The IP
# address used for tunneling or routing traffic to remote Nodes is decided in the following order of
# preference (from highest to lowest):
# 1. transportInterface
# 2. transportInterfaceCIDRs
# 3. The Node IP
transportInterface: {{ .Values.transportInterface | quote }}
multicast:
{{- with .Values.multicast }}
# The names of the interfaces on Nodes that are used to forward multicast traffic.
# Defaults to transport interface if not set.
multicastInterfaces:
{{- with .multicastInterfaces }}
{{- toYaml . | nindent 4 }}
{{- end }}
# The interval at which the antrea-agent sends IGMP queries to Pods.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
igmpQueryInterval: {{ .igmpQueryInterval | quote }}
{{- end}}
# The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across
# Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The
# IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of
# preference (from highest to lowest):
# 1. transportInterface
# 2. transportInterfaceCIDRs
# 3. The Node IP
transportInterfaceCIDRs:
{{- with .Values.transportInterfaceCIDRs }}
{{- toYaml . | nindent 2 }}
{{- end }}
# Option antreaProxy contains AntreaProxy related configuration options.
antreaProxy:
{{- with .Values.antreaProxy }}
# ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic,
# regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy
# feature to be enabled.
# Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access
# apiserver directly.
proxyAll: {{ .proxyAll }}
# A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks.
# (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses.
# Note that the option is only valid when proxyAll is true.
nodePortAddresses:
{{- with .nodePortAddresses }}
{{- toYaml . | nindent 4 }}
{{- end }}
# An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these
# Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name
# with Namespace (e.g. kube-system/kube-dns)
skipServices:
{{- with .skipServices }}
{{- toYaml . | nindent 4 }}
{{- end }}
# When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the
# External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional
# capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the
# external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy.
# Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and
# kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
proxyLoadBalancerIPs: {{ .proxyLoadBalancerIPs }}
{{- end }}
# IPsec tunnel related configurations.
ipsec:
{{- with .Values.ipsec }}
# The authentication mode of IPsec tunnel. It has the following options:
# - psk (default): Use pre-shared key (PSK) for IKE authentication.
# - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth`
# feature gate to be enabled.
authenticationMode: {{ .authenticationMode | quote }}
{{- end }}
multicluster:
{{- with .Values.multicluster }}
# Enable Antrea Multi-cluster Gateway to support cross-cluster traffic.
# This feature is supported only with encap mode.
enableGateway: {{ .enableGateway }}
# The Namespace where Antrea Multi-cluster Controller is running.
# The default is antrea-agent's Namespace.
namespace: {{ .namespace | quote }}
# Enable Multi-cluster NetworkPolicy (ingress rules).
# Multi-cluster Gateway must be enabled to enable StretchedNetworkPolicy.
enableStretchedNetworkPolicy: {{ .enableStretchedNetworkPolicy }}
# Enable Pod to Pod connectivity.
enablePodToPodConnectivity: {{ .enablePodToPodConnectivity }}
{{- end }}
{{- if .Values.featureGates.SecondaryNetwork }}
secondaryNetwork:
{{- with .Values.secondaryNetwork }}
# OVS bridge configuration for secondary network.
ovs:
# Enable OVS bridge configuration for secondary network.
enable: {{ .ovs.enable }}
# Secondary network OVS integration bridge name. Ensure it doesn't conflict with your existing OpenVSwitch bridges.
integrationBridgeName: {{ .ovs.integrationBridgeName | quote }}
# Secondary network OVS transport bridge name. Ensure it doesn't conflict with your existing OpenVSwitch bridges.
transportBridgeName: {{ .ovs.transportBridgeName | quote }}
# Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
# - system
# - netdev
# 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
# OVS in userspace mode. Userspace mode requires the tun device driver to be available.
datapathType: {{ .ovs.datapathType | quote }}
# Name of the OVS patch port which connects the integration and transport bridge.
patchPort: {{ .ovs.patchPort | quote }}
# Tunnel protocol used for encapsulating traffic across Nodes. It must be one
# of "geneve", "vxlan", "gre", "stt".
tunnelType: {{ .tunnelType | quote }}
{{- end }}
{{- end }}