diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 3d06f76d181..d4640d0d2c4 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -224,6 +224,15 @@ jobs:
run: |
sudo npm install -g markdownlint-cli@0.31.1
make markdownlint
+ - name: Checking whether autogenerated Helm chart documentation is up-to-date
+ working-directory: build/charts/
+ run: |
+ make helm-docs
+ DIFF=$(git diff .)
+ if [ -n "$DIFF" ]; then
+ echo "The Helm chart documentation is out-of-date; please run 'make helm-docs' in 'build/charts/' and commit the changes"
+ exit 1
+ fi
benchmark:
needs: check-changes
diff --git a/Makefile b/Makefile
index 73f0ed5d634..b307d51b9a4 100644
--- a/Makefile
+++ b/Makefile
@@ -351,11 +351,7 @@ build-scale-simulator:
.PHONY: manifest
manifest:
@echo "===> Generating dev manifest for Antrea <==="
- $(CURDIR)/hack/generate-manifest.sh --mode dev > build/yamls/antrea.yml
- $(CURDIR)/hack/generate-manifest.sh --mode dev --ipsec > build/yamls/antrea-ipsec.yml
- $(CURDIR)/hack/generate-manifest.sh --mode dev --cloud EKS --encap-mode networkPolicyOnly > build/yamls/antrea-eks.yml
- $(CURDIR)/hack/generate-manifest.sh --mode dev --cloud GKE --encap-mode noEncap > build/yamls/antrea-gke.yml
- $(CURDIR)/hack/generate-manifest.sh --mode dev --cloud AKS --encap-mode networkPolicyOnly > build/yamls/antrea-aks.yml
+ $(CURDIR)/hack/generate-standard-manifests.sh --mode dev --out build/yamls
$(CURDIR)/hack/generate-manifest-octant.sh --mode dev > build/yamls/antrea-octant.yml
$(CURDIR)/hack/generate-manifest-windows.sh --mode dev > build/yamls/antrea-windows.yml
$(CURDIR)/hack/generate-manifest-flow-aggregator.sh --mode dev > build/yamls/flow-aggregator.yml
@@ -439,12 +435,12 @@ toc:
.PHONE: markdownlint
markdownlint:
@echo "===> Running markdownlint <==="
- markdownlint -c .markdownlint-config.yml -i CHANGELOG/ -i CHANGELOG.md -i hack/netpol -i CODE_OF_CONDUCT.md .
+ markdownlint -c hack/.markdownlint-config.yml -p hack/.markdownlint-ignore .
.PHONE: markdownlint-fix
markdownlint-fix:
@echo "===> Running markdownlint <==="
- markdownlint --fix -c .markdownlint-config.yml -i CHANGELOG/ -i CHANGELOG.md -i hack/netpol -i CODE_OF_CONDUCT.md .
+ markdownlint --fix -c hack/.markdownlint-config.yml -p hack/.markdownlint-ignore .
.PHONY: spelling-fix
spelling-fix:
diff --git a/build/charts/Makefile b/build/charts/Makefile
new file mode 100644
index 00000000000..608a7eafa98
--- /dev/null
+++ b/build/charts/Makefile
@@ -0,0 +1,6 @@
+USERID := $(shell id -u)
+GRPID := $(shell id -g)
+
+.PHONY: helm-docs
+helm-docs:
+ docker run --rm --volume "$(CURDIR):/helm-docs" --user=$(USERID):$(GRPID) jnorwood/helm-docs:v1.7.0
diff --git a/build/charts/antrea/.helmignore b/build/charts/antrea/.helmignore
new file mode 100644
index 00000000000..0e8a0eb36f4
--- /dev/null
+++ b/build/charts/antrea/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/build/charts/antrea/Chart.yaml b/build/charts/antrea/Chart.yaml
new file mode 100644
index 00000000000..d835cf2b082
--- /dev/null
+++ b/build/charts/antrea/Chart.yaml
@@ -0,0 +1,18 @@
+apiVersion: v2
+name: antrea
+type: application
+displayName: Antrea
+home: https://antrea.io/
+version: 1.17.0-dev
+appVersion: 1.17.0-dev
+kubeVersion: ">= 1.16.0-0"
+icon: https://raw.githubusercontent.com/antrea-io/antrea/main/docs/assets/logo/antrea_logo.svg
+description: Kubernetes networking based on Open vSwitch
+keywords:
+ - Kubernetes
+ - CNCF
+ - Networking
+ - CNI
+ - Security
+sources:
+ - https://github.com/antrea-io/antrea
diff --git a/build/charts/antrea/README.md b/build/charts/antrea/README.md
new file mode 100644
index 00000000000..9005e7c0b0d
--- /dev/null
+++ b/build/charts/antrea/README.md
@@ -0,0 +1,106 @@
+# antrea
+
+![Version: 1.17.0-dev](https://img.shields.io/badge/Version-1.17.0--dev-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.17.0-dev](https://img.shields.io/badge/AppVersion-1.17.0--dev-informational?style=flat-square)
+
+Kubernetes networking based on Open vSwitch
+
+**Homepage:**
+
+## Source Code
+
+*
+
+## Requirements
+
+Kubernetes: `>= 1.16.0-0`
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| agent.affinity | object | `{}` | Affinity for the antrea-agent Pods. |
+| agent.antreaAgent.extraArgs | list | `[]` | Extra command-line arguments for antrea-agent. |
+| agent.antreaAgent.extraEnv | object | `{}` | Extra environment variables to be injected into antrea-agent. |
+| agent.antreaAgent.extraVolumeMounts | list | `[]` | Additional volumeMounts for the antrea-agent container. |
+| agent.antreaAgent.logFileMaxNum | int | `4` | Max number of log files. |
+| agent.antreaAgent.logFileMaxSize | int | `100` | Max size in MBs of any single log file. |
+| agent.antreaAgent.resources | object | `{"requests":{"cpu":"200m"}}` | Resource requests and limits for the antrea-agent container. |
+| agent.antreaIPsec.resources | object | `{"requests":{"cpu":"50m"}}` | Resource requests and limits for the antrea-ipsec container (when IPsec is enabled). |
+| agent.antreaOVS.extraArgs | list | `[]` | Extra command-line arguments for antrea-ovs. |
+| agent.antreaOVS.logFileMaxNum | int | `4` | Max number of log files. |
+| agent.antreaOVS.logFileMaxSize | int | `100` | Max size in MBs of any single log file. |
+| agent.antreaOVS.resources | object | `{"requests":{"cpu":"200m"}}` | Resource requests and limits for the antrea-ovs container. |
+| agent.apiPort | int | `10350` | Port for the antrea-agent APIServer to serve on. |
+| agent.dnsPolicy | string | `"ClusterFirstWithHostNet"` | DNS Policy for the antrea-agent Pods. |
+| agent.enablePrometheusMetrics | bool | `true` | Enable metrics exposure via Prometheus. |
+| agent.extraVolumes | list | `[]` | Additional volumes for antrea-agent Pods. |
+| agent.installCNI.resources | object | `{"requests":{"cpu":"100m"}}` | Resource requests and limits for the install-cni initContainer. |
+| agent.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for the antrea-agent Pods. |
+| agent.podAnnotations | object | `{}` | Annotations to be added to antrea-agent Pods. |
+| agent.podLabels | object | `{}` | Labels to be added to antrea-agent Pods. |
+| agent.priorityClassName | string | `"system-node-critical"` | Prority class to use for the antrea-agent Pods. |
+| agent.tolerations | list | `[{"key":"CriticalAddonsOnly","operator":"Exists"},{"effect":"NoSchedule","operator":"Exists"},{"effect":"NoExecute","operator":"Exists"}]` | Tolerations for the antrea-agent Pods. |
+| agent.updateStrategy | object | `{"type":"RollingUpdate"}` | Update strategy for the antrea-agent DaemonSet. |
+| antreaProxy.nodePortAddresses | list | `[]` | String array of values which specifies the host IPv4/IPv6 addresses for NodePort. By default, all host addresses are used. |
+| antreaProxy.proxyAll | bool | `false` | Proxy all Service traffic, for all Service types, regardless of where it comes from. |
+| antreaProxy.proxyLoadBalancerIPs | bool | `true` | When set to false, AntreaProxy no longer load-balances traffic destined to the External IPs of LoadBalancer Services. |
+| antreaProxy.skipServices | list | `[]` | |
+| cni.hostBinPath | string | `"/opt/cni/bin"` | Installation path of CNI binaries on the host. |
+| cni.plugins | object | `{"bandwidth":true,"portmap":true}` | Chained plugins to use alongside antrea-cni. |
+| cni.skipBinaries | list | `[]` | CNI binaries shipped with Antrea for which installation should be skipped. |
+| controller.affinity | object | `{}` | Affinity for the antrea-controller Pod. |
+| controller.antreaController.extraArgs | list | `[]` | Extra command-line arguments for antrea-controller. |
+| controller.antreaController.extraEnv | object | `{}` | Extra environment variables to be injected into antrea-controller. |
+| controller.antreaController.logFileMaxNum | int | `4` | Max number of log files. |
+| controller.antreaController.logFileMaxSize | int | `100` | Max size in MBs of any single log file. |
+| controller.antreaController.resources | object | `{"requests":{"cpu":"200m"}}` | Resource requests and limits for the antrea-controller container. |
+| controller.apiPort | int | `10349` | Port for the antrea-controller APIServer to serve on. |
+| controller.enablePrometheusMetrics | bool | `true` | Enable metrics exposure via Prometheus. |
+| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for the antrea-controller Pod. |
+| controller.podAnnotations | object | `{}` | Annotations to be added to antrea-controller Pod. |
+| controller.podLabels | object | `{}` | Labels to be added to antrea-controller Pod. |
+| controller.priorityClassName | string | `"system-cluster-critical"` | Prority class to use for the antrea-controller Pod. |
+| controller.selfSignedCert | bool | `true` | Indicates whether to use auto-generated self-signed TLS certificates. If false, a Secret named "antrea-controller-tls" must be provided with the following keys: ca.crt, tls.crt, tls.key. |
+| controller.tolerations | list | `[{"key":"CriticalAddonsOnly","operator":"Exists"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"}]` | Tolerations for the antrea-controller Pod. |
+| defaultMTU | int | `0` | Default MTU to use for the host gateway interface and the network interface of each Pod. By default, antrea-agent will discover the MTU of the Node's primary interface and adjust it to accommodate for tunnel encapsulation overhead if applicable. |
+| egress.exceptCIDRs | list | `[]` | CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. |
+| enableBridgingMode | bool | `false` | Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected to the OVS bridge. |
+| featureGates | object | `{}` | To explicitly enable or disable a FeatureGate and bypass the Antrea defaults, add an entry to the dictionary with the FeatureGate's name as the key and a boolean as the value. |
+| flowCollector.activeFlowExportTimeout | string | `"5s"` | timeout after which a flow record is sent to the collector for active flows. |
+| flowCollector.collectorAddr | string | `"flow-aggregator.flow-aggregator.svc:4739:tls"` | IPFIX collector address as a string with format :[][:]. |
+| flowCollector.flowPollInterval | string | `"5s"` | Determines how often the flow exporter polls for new connections. |
+| flowCollector.idleFlowExportTimeout | string | `"15s"` | timeout after which a flow record is sent to the collector for idle flows. |
+| hostGateway | string | `"antrea-gw0"` | Name of the interface antrea-agent will create and use for host <-> Pod communication. |
+| image | object | `{"pullPolicy":"IfNotPresent","repository":"projects.registry.vmware.com/antrea/antrea-ubuntu","tag":"latest"}` | Container image to use for Antrea components. |
+| ipsec.psk | string | `"changeme"` | Preshared Key (PSK) for IKE authentication. It will be stored in a secret and passed to antrea-agent as an environment variable. |
+| kubeAPIServerOverride | string | `""` | Address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. |
+| logVerbosity | int | `0` | |
+| multicastInterfaces | list | `[]` | Names of the interfaces on Nodes that are used to forward multicast traffic. |
+| noSNAT | bool | `false` | Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. |
+| nodeIPAM.clusterCIDRs | list | `[]` | CIDR ranges to use when allocating Pod IP addresses. |
+| nodeIPAM.enable | bool | `false` | Enable Node IPAM in Antrea |
+| nodeIPAM.nodeCIDRMaskSizeIPv4 | int | `24` | Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. |
+| nodeIPAM.nodeCIDRMaskSizeIPv6 | int | `64` | Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. |
+| nodeIPAM.serviceCIDR | string | `""` | IPv4 CIDR ranges reserved for Services. |
+| nodeIPAM.serviceCIDRv6 | string | `""` | IPv6 CIDR ranges reserved for Services. |
+| nodePortLocal.enable | bool | `false` | Enable the NodePortLocal feature. |
+| nodePortLocal.portRange | string | `"61000-62000"` | Port range used by NodePortLocal when creating Pod port mappings. |
+| ovs.bridgeName | string | `"br-int"` | Name of the OVS bridge antrea-agent will create and use. |
+| ovs.hwOffload | bool | `false` | Enable hardware offload for the OVS bridge (required additional configuration). |
+| serviceCIDR | string | `""` | IPv4 CIDR range used for Services. Required when AntreaProxy is disabled. |
+| serviceCIDRv6 | string | `""` | IPv6 CIDR range used for Services. Required when AntreaProxy is disabled. |
+| testing.coverage | bool | `false` | |
+| testing.simulator.enable | bool | `false` | |
+| tlsCipherSuites | string | `""` | Comma-separated list of cipher suites that will be used by the Antrea APIservers. If empty, the default Go Cipher Suites will be used. See https://golang.org/pkg/crypto/tls/#pkg-constants. |
+| tlsMinVersion | string | `""` | TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. |
+| trafficEncapMode | string | `"encap"` | Determines how traffic is encapsulated. It must be one of "encap", "noEncap", "hybrid", or "networkPolicyOnly". |
+| trafficEncryptionMode | string | `"none"` | Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode.It must be one of "none", "ipsec", "wireGuard". |
+| transportInterface | string | `""` | Name of the interface on Node which is used for tunneling or routing the traffic across Nodes. |
+| transportInterfaceCIDRs | list | `[]` | Network CIDRs of the interface on Node which is used for tunneling or routing the traffic across Nodes. |
+| tunnelType | string | `"geneve"` | Tunnel protocol used for encapsulating traffic across Nodes. It must be one of "geneve", "vxlan", "gre", "stt". |
+| webhooks.labelsMutator.enable | bool | `false` | |
+| whereabouts.enable | bool | `false` | |
+| wireGuard.port | int | `51820` | Port for WireGuard to send and receive traffic. |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0)
diff --git a/build/yamls/base/conf/antrea-agent.conf b/build/charts/antrea/conf/antrea-agent.conf
similarity index 77%
rename from build/yamls/base/conf/antrea-agent.conf
rename to build/charts/antrea/conf/antrea-agent.conf
index 01745c081e1..174ea80888c 100644
--- a/build/yamls/base/conf/antrea-agent.conf
+++ b/build/charts/antrea/conf/antrea-agent.conf
@@ -3,65 +3,64 @@ featureGates:
# Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent.
# It should be enabled on Windows, otherwise NetworkPolicy will not take effect on
# Service traffic.
-# AntreaProxy: true
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AntreaProxy" "default" true) }}
# Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice
# API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled,
# this flag will not take effect.
-# EndpointSlice: false
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "EndpointSlice" "default" false) }}
# Enable traceflow which provides packet tracing feature to diagnose network issue.
-# Traceflow: true
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Traceflow" "default" true) }}
# Enable NodePortLocal feature to make the Pods reachable externally through NodePort
-# NodePortLocal: true
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "NodePortLocal" "default" true) }}
# Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
# to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
# feature that supports priorities, rule actions and externalEntities in the future.
-# AntreaPolicy: true
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AntreaPolicy" "default" true) }}
# Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each
# agent to a configured collector.
-# FlowExporter: false
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "FlowExporter" "default" false) }}
# Enable collecting and exposing NetworkPolicy statistics.
-# NetworkPolicyStats: true
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "NetworkPolicyStats" "default" true) }}
# Enable controlling SNAT IPs of Pod egress traffic.
-# Egress: true
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Egress" "default" true) }}
# Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the
# bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for
# IPAM when configuring secondary network interfaces with Multus.
-# AntreaIPAM: false
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AntreaIPAM" "default" false) }}
# Enable multicast traffic. This feature is supported only with noEncap mode.
-# Multicast: false
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Multicast" "default" false) }}
# Enable support for provisioning secondary network interfaces for Pods (using
# Pod annotations). At the moment, Antrea can only create secondary network
# interfaces using SR-IOV VFs on baremetal Nodes.
-# SecondaryNetwork: false
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "SecondaryNetwork" "default" false) }}
# Enable managing external IPs of Services of LoadBalancer type.
-# ServiceExternalIP: false
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "ServiceExternalIP" "default" false) }}
# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
-#ovsBridge: br-int
+ovsBridge: {{ .Values.ovs.bridgeName | quote }}
# Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
# - system
# - netdev
# 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
-# OVS in userspace mode (not fully supported yet). Userspace mode requires the tun device driver to
-# be available.
+# OVS in userspace mode. Userspace mode requires the tun device driver to be available.
#ovsDatapathType: system
# Name of the interface antrea-agent will create and use for host <--> pod communication.
# Make sure it doesn't conflict with your existing interfaces.
-#hostGateway: antrea-gw0
+hostGateway: {{ .Values.hostGateway | quote }}
# Determines how traffic is encapsulated. It has the following options:
# encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network
@@ -73,14 +72,14 @@ featureGates:
# networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod
# IPAM and connectivity to the primary CNI.
#
-#trafficEncapMode: encap
+trafficEncapMode: {{ .Values.trafficEncapMode | quote }}
# Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network.
# This option is for the noEncap traffic mode only, and the default value is false. In the noEncap
# mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to
# the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never
# performs SNAT and this option will be ignored; for other modes it must be set to false.
-#noSNAT: false
+noSNAT: {{ .Values.noSNAT }}
# Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode,
# this option will not take effect. Supported values:
@@ -89,7 +88,7 @@ featureGates:
# - gre
# - stt
# Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters).
-#tunnelType: geneve
+tunnelType: {{ .Values.tunnelType | quote }}
# Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode.
# It has the following options:
@@ -99,7 +98,7 @@ featureGates:
# the PSK value must be passed to Antrea Agent through an environment
# variable: ANTREA_IPSEC_PSK.
# - wireGuard: Enable WireGuard for tunnel traffic encryption.
-#trafficEncryptionMode: none
+trafficEncryptionMode: {{ .Values.trafficEncryptionMode | quote }}
# Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected
# to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are
@@ -108,40 +107,47 @@ featureGates:
# This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only
# IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`,
# `trafficEncapMode` is `noEncap`, and `noSNAT` is true.
-#enableBridgingMode: false
+enableBridgingMode: {{ .Values.enableBridgingMode }}
# Default MTU to use for the host gateway interface and the network interface of each Pod.
# If omitted, antrea-agent will discover the MTU of the Node's primary interface and
# also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
-#defaultMTU: 0
+defaultMTU: {{ .Values.defaultMTU }}
# wireGuard specifies WireGuard related configurations.
wireGuard:
-# The port for WireGuard to receive traffic.
-# port: 51820
+{{- with .Values.wireGuard }}
+ # The port for WireGuard to receive traffic.
+ port: {{ .port }}
+{{- end }}
egress:
-# exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses.
-# exceptCIDRs: []
+{{- with .Values.egress }}
+ # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses.
+ exceptCIDRs:
+ {{- with .exceptCIDRs }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
# ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
# set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
# AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
-#serviceCIDR: 10.96.0.0/12
+serviceCIDR: {{ .Values.serviceCIDR | quote }}
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
# --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
# No default value for this field.
-#serviceCIDRv6:
+serviceCIDRv6: {{ .Values.serviceCIDRv6 | quote }}
# The port for the antrea-agent APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-agent` container must be set to the same value.
-#apiPort: 10350
+apiPort: {{ .Values.agent.apiPort }}
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
-#enablePrometheusMetrics: true
+enablePrometheusMetrics: {{ .Values.agent.enablePrometheusMetrics }}
# Provide the IPFIX collector address as a string with format :[][:].
# HOST can either be the DNS name or the IP of the Flow Collector. For example,
@@ -152,50 +158,52 @@ egress:
# If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
# "udp" protocols. "tls" is used for securing communication between flow exporter and
# flow aggregator.
-#flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
+flowCollectorAddr: {{ .Values.flowCollector.collectorAddr | quote }}
# Provide flow poll interval as a duration string. This determines how often the
# flow exporter dumps connections from the conntrack module. Flow poll interval
# should be greater than or equal to 1s (one second).
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
-#flowPollInterval: "5s"
+flowPollInterval: {{ .Values.flowCollector.flowPollInterval | quote }}
# Provide the active flow export timeout, which is the timeout after which a flow
# record is sent to the collector for active flows. Thus, for flows with a continuous
# stream of packets, a flow record will be exported to the collector once the elapsed
# time since the last export event is equal to the value of this timeout.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
-#activeFlowExportTimeout: "30s"
+activeFlowExportTimeout: {{ .Values.flowCollector.activeFlowExportTimeout | quote }}
# Provide the idle flow export timeout, which is the timeout after which a flow
# record is sent to the collector for idle flows. A flow is considered idle if no
# packet matching this flow has been observed since the last export event.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
-#idleFlowExportTimeout: "15s"
+idleFlowExportTimeout: {{ .Values.flowCollector.idleFlowExportTimeout | quote }}
nodePortLocal:
+{{- with .Values.nodePortLocal }}
# Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
# enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
# gate is also enabled (which is the default).
-# enable: false
+ enable: {{ .enable }}
# Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
# from that range will be assigned whenever a Pod's container defines a specific port to be exposed
# (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic
# directed to that port will be forwarded to the Pod.
-# portRange: 61000-62000
+ portRange: {{ .portRange | quote }}
+{{- end }}
# Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
# Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
-#kubeAPIServerOverride: ""
+kubeAPIServerOverride: {{ .Values.kubeAPIServerOverride | quote }}
# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
# https://golang.org/pkg/crypto/tls/#pkg-constants
# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
# prefer TLS1.3 Cipher Suites whenever possible.
-#tlsCipherSuites:
+tlsCipherSuites: {{ .Values.tlsCipherSuites | quote }}
# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
-#tlsMinVersion:
+tlsMinVersion: {{ .Values.tlsMinVersion | quote }}
# The name of the interface on Node which is used for tunneling or routing the traffic across Nodes.
# If there are multiple IP addresses configured on the interface, the first one is used. The IP
@@ -204,11 +212,14 @@ nodePortLocal:
# 1. transportInterface
# 2. transportInterfaceCIDRs
# 3. The Node IP
-#transportInterface:
+transportInterface: {{ .Values.transportInterface | quote }}
# The names of the interfaces on Nodes that are used to forward multicast traffic.
# Defaults to transport interface if not set.
-#multicastInterfaces: []
+multicastInterfaces:
+{{- with .Values.multicastInterfaces }}
+{{- toYaml . | nindent 2 }}
+{{- end }}
# The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across
# Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The
@@ -217,28 +228,39 @@ nodePortLocal:
# 1. transportInterface
# 2. transportInterfaceCIDRs
# 3. The Node IP
-#transportInterfaceCIDRs: [,]
+transportInterfaceCIDRs:
+{{- with .Values.transportInterfaceCIDRs }}
+{{- toYaml . | nindent 2 }}
+{{- end }}
# Option antreaProxy contains AntreaProxy related configuration options.
antreaProxy:
+{{- with .Values.antreaProxy }}
# ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic,
# regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy
# feature to be enabled.
# Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access
# apiserver directly.
- #proxyAll: false
+ proxyAll: {{ .proxyAll }}
# A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks.
# (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses.
# Note that the option is only valid when proxyAll is true.
- #nodePortAddresses: []
+ nodePortAddresses:
+ {{- with .nodePortAddresses }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
# An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these
# Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name
# with Namespace (e.g. kube-system/kube-dns)
- #skipServices: []
+ skipServices:
+ {{- with .skipServices }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
# When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the
# External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional
# capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the
# external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy.
# Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and
# kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
- #proxyLoadBalancerIPs: true
+ proxyLoadBalancerIPs: {{ .proxyLoadBalancerIPs }}
+{{- end }}
diff --git a/build/yamls/base/conf/antrea-cni.conflist b/build/charts/antrea/conf/antrea-cni.conflist
similarity index 68%
rename from build/yamls/base/conf/antrea-cni.conflist
rename to build/charts/antrea/conf/antrea-cni.conflist
index 14d84678be0..9047fc33409 100644
--- a/build/yamls/base/conf/antrea-cni.conflist
+++ b/build/charts/antrea/conf/antrea-cni.conflist
@@ -7,14 +7,20 @@
"ipam": {
"type": "host-local"
}
- },
+ }
+ {{- if .Values.cni.plugins.portmap }}
+ ,
{
"type": "portmap",
"capabilities": {"portMappings": true}
- },
+ }
+ {{- end }}
+ {{- if .Values.cni.plugins.bandwidth }}
+ ,
{
"type": "bandwidth",
"capabilities": {"bandwidth": true}
}
+ {{- end }}
]
}
diff --git a/build/charts/antrea/conf/antrea-controller.conf b/build/charts/antrea/conf/antrea-controller.conf
new file mode 100644
index 00000000000..f54bf5ce864
--- /dev/null
+++ b/build/charts/antrea/conf/antrea-controller.conf
@@ -0,0 +1,73 @@
+# FeatureGates is a map of feature names to bools that enable or disable experimental features.
+featureGates:
+# Enable traceflow which provides packet tracing feature to diagnose network issue.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Traceflow" "default" true) }}
+
+# Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
+# to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
+# feature that supports priorities, rule actions and externalEntities in the future.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AntreaPolicy" "default" true) }}
+
+# Enable collecting and exposing NetworkPolicy statistics.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "NetworkPolicyStats" "default" true) }}
+
+# Enable controlling SNAT IPs of Pod egress traffic.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Egress" "default" true) }}
+
+# Run Kubernetes NodeIPAMController with Antrea.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "NodeIPAM" "default" false) }}
+
+# Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the
+# bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for
+# IPAM when configuring secondary network interfaces with Multus.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AntreaIPAM" "default" false) }}
+
+# Enable managing external IPs of Services of LoadBalancer type.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "ServiceExternalIP" "default" false) }}
+
+# The port for the antrea-controller APIServer to serve on.
+# Note that if it's set to another value, the `containerPort` of the `api` port of the
+# `antrea-controller` container must be set to the same value.
+apiPort: {{ .Values.controller.apiPort }}
+
+# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
+enablePrometheusMetrics: {{ .Values.controller.enablePrometheusMetrics }}
+
+# Indicates whether to use auto-generated self-signed TLS certificate.
+# If false, a Secret named "antrea-controller-tls" must be provided with the following keys:
+# ca.crt:
+# tls.crt:
+# tls.key:
+selfSignedCert: {{ .Values.controller.selfSignedCert }}
+
+# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
+# https://golang.org/pkg/crypto/tls/#pkg-constants
+# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
+# prefer TLS1.3 Cipher Suites whenever possible.
+tlsCipherSuites: {{ .Values.tlsCipherSuites | quote }}
+
+# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+tlsMinVersion: {{ .Values.tlsMinVersion | quote }}
+
+nodeIPAM:
+{{- with .Values.nodeIPAM }}
+ # Enable the integrated Node IPAM controller within the Antrea controller.
+ enableNodeIPAM: {{ .enable }}
+ # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges.
+ # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family.
+ # Value ignored when enableNodeIPAM is false.
+ clusterCIDRs:
+ {{- with .clusterCIDRs }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs.
+ # Value ignored when enableNodeIPAM is false.
+ serviceCIDR: {{ .serviceCIDR | quote }}
+ serviceCIDRv6: {{ .serviceCIDRv6 | quote }}
+ # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false
+ # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30.
+ nodeCIDRMaskSizeIPv4: {{ .nodeCIDRMaskSizeIPv4 }}
+ # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
+ # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
+ nodeCIDRMaskSizeIPv6: {{ .nodeCIDRMaskSizeIPv6 }}
+{{- end }}
diff --git a/build/charts/antrea/templates/NOTES.txt b/build/charts/antrea/templates/NOTES.txt
new file mode 100644
index 00000000000..40e0d249333
--- /dev/null
+++ b/build/charts/antrea/templates/NOTES.txt
@@ -0,0 +1 @@
+The Antrea CNI has been successfully installed.
diff --git a/build/charts/antrea/templates/_helpers.tpl b/build/charts/antrea/templates/_helpers.tpl
new file mode 100644
index 00000000000..0319db13d43
--- /dev/null
+++ b/build/charts/antrea/templates/_helpers.tpl
@@ -0,0 +1,9 @@
+{{- define "featureGate" -}}
+{{- $name := .name }}
+{{- $default := .default }}
+{{- if hasKey .featureGates $name }}
+ {{ $name }}: {{ get .featureGates $name }}
+{{- else }}
+ {{ printf "# %s" $name }}: {{ $default }}
+{{- end }}
+{{- end -}}
diff --git a/build/yamls/base/agent-rbac.yml b/build/charts/antrea/templates/agent/clusterrole.yaml
similarity index 90%
rename from build/yamls/base/agent-rbac.yml
rename to build/charts/antrea/templates/agent/clusterrole.yaml
index a75b5fc7b5d..ef7e7ea8da5 100644
--- a/build/yamls/base/agent-rbac.yml
+++ b/build/charts/antrea/templates/agent/clusterrole.yaml
@@ -1,14 +1,9 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: antrea-agent
- namespace: kube-system
----
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: antrea-agent
+ labels:
+ app: antrea
rules:
- apiGroups:
- ""
@@ -190,16 +185,3 @@ rules:
- get
- list
- watch
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: antrea-agent
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: antrea-agent
-subjects:
- - kind: ServiceAccount
- name: antrea-agent
- namespace: kube-system
diff --git a/build/charts/antrea/templates/agent/clusterrolebinding.yaml b/build/charts/antrea/templates/agent/clusterrolebinding.yaml
new file mode 100644
index 00000000000..191035981fb
--- /dev/null
+++ b/build/charts/antrea/templates/agent/clusterrolebinding.yaml
@@ -0,0 +1,14 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-agent
+ labels:
+ app: antrea
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: antrea-agent
+subjects:
+ - kind: ServiceAccount
+ name: antrea-agent
+ namespace: {{ .Release.Namespace }}
diff --git a/build/yamls/base/agent.yml b/build/charts/antrea/templates/agent/daemonset.yaml
similarity index 52%
rename from build/yamls/base/agent.yml
rename to build/charts/antrea/templates/agent/daemonset.yaml
index 8bc007231d3..5292dce279f 100644
--- a/build/yamls/base/agent.yml
+++ b/build/charts/antrea/templates/agent/daemonset.yaml
@@ -1,48 +1,79 @@
----
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: antrea-agent
+ namespace: {{ .Release.Namespace }}
labels:
+ app: antrea
component: antrea-agent
spec:
selector:
matchLabels:
+ app: antrea
component: antrea-agent
- updateStrategy:
- type: RollingUpdate
+ {{- with .Values.agent.updateStrategy }}
+ updateStrategy: {{- toYaml . | nindent 4 }}
+ {{- end }}
template:
metadata:
annotations:
# Starting with v1.21, Kubernetes supports default container annotation.
# Using "kubectl logs/exec/attach/cp" doesn't have to specify "-c antrea-agent" when troubleshooting.
kubectl.kubernetes.io/default-container: antrea-agent
+ # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
+ # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
+ checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+ {{- if eq .Values.trafficEncryptionMode "ipsec" }}
+ checksum/ipsec-secret: {{ include (print $.Template.BasePath "/agent/ipsec-secret.yaml") . | sha256sum }}
+ {{- end }}
+ {{- with .Values.agent.podAnnotations }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
labels:
+ app: antrea
component: antrea-agent
+ {{- with .Values.agent.podLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
spec:
hostNetwork: true
- dnsPolicy: ClusterFirstWithHostNet
- priorityClassName: system-node-critical
- tolerations:
- # Mark it as a critical add-on.
- - key: CriticalAddonsOnly
- operator: Exists
- # Make sure it gets scheduled on all nodes.
- - effect: NoSchedule
- operator: Exists
- # Make sure it doesn't get evicted.
- - effect: NoExecute
- operator: Exists
+ dnsPolicy: {{ .Values.agent.dnsPolicy }}
+ priorityClassName: {{ .Values.agent.priorityClassName }}
+ {{- with .Values.agent.nodeSelector }}
nodeSelector:
- kubernetes.io/os: linux
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.agent.tolerations }}
+ tolerations:
+ {{- toYaml . | trim | nindent 8 }}
+ {{- end }}
+ {{- if .Values.testing.simulator.enable }}
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: antrea/instance
+ operator: NotIn
+ values:
+ - simulator
+ {{- else }}
+ {{- with .Values.agent.affinity }}
+ affinity:
+ {{- toYaml . | trim | nindent 8 }}
+ {{- end }}
+ {{- end }}
serviceAccountName: antrea-agent
initContainers:
- name: install-cni
- image: antrea
- resources:
- requests:
- cpu: "100m"
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ resources: {{- .Values.agent.installCNI.resources | toYaml | nindent 12 }}
+ {{- if eq .Values.trafficEncapMode "networkPolicyOnly" }}
+ command: ["install_cni_chaining"]
+ {{- else }}
command: ["install_cni"]
+ {{- end }}
securityContext:
capabilities:
add:
@@ -52,7 +83,7 @@ spec:
# SKIP_CNI_BINARIES takes in values as a comma separated list of
# binaries that need to be skipped for installation, e.g. "portmap, bandwidth".
- name: SKIP_CNI_BINARIES
- value: ""
+ value: {{ join "," .Values.cni.skipBinaries | quote }}
volumeMounts:
- name: antrea-config
mountPath: /etc/antrea/antrea-cni.conflist
@@ -69,15 +100,43 @@ spec:
# For changing the default permissions of the run directory.
- name: host-var-run-antrea
mountPath: /var/run/antrea
- containers:
- - name: antrea-agent
- image: antrea
+ {{- if .Values.whereabouts.enable }}
+ - name: install-whereabouts-config
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
resources:
requests:
- cpu: "200m"
+ cpu: "100m"
+ command: ["install_whereabouts_config"]
+ volumeMounts:
+ - name: whereabouts-cni-conf
+ mountPath: /host/etc/cni/net.d/whereabouts.d
+ - name: whereabouts-secret
+ mountPath: /var/run/secrets/whereabouts
+ {{- end }}
+ containers:
+ - name: antrea-agent
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ {{- if ((.Values.testing).coverage) }}
+ command: ["/bin/sh"]
+ args: ["-c", "sleep 2; antrea-agent-coverage -test.run=TestBincoverRunMain -test.coverprofile=antrea-agent.cov.out -args-file=/agent-arg-file; while true; do sleep 5 & wait $!; done"]
+ {{- else}}
command: ["antrea-agent"]
- # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).
- args: ["--config", "/etc/antrea/antrea-agent.conf", "--logtostderr=false", "--log_dir=/var/log/antrea", "--alsologtostderr", "--log_file_max_size=100", "--log_file_max_num=4", "--v=0"]
+ # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).-
+ args:
+ - "--config=/etc/antrea/antrea-agent.conf"
+ - "--logtostderr=false"
+ - "--log_dir=/var/log/antrea"
+ - "--alsologtostderr"
+ - "--log_file_max_size={{ .Values.agent.antreaAgent.logFileMaxSize }}"
+ - "--log_file_max_num={{ .Values.agent.antreaAgent.logFileMaxNum }}"
+ {{- if .Values.logVerbosity }}
+ - "--v={{ .Values.logVerbosity }}"
+ {{- end }}
+ {{- with .Values.agent.antreaAgent.extraArgs }}
+ {{- toYaml . | trim | nindent 12 }}
+ {{- end }}
+ {{- end}}
env:
# Provide pod and node information for clusterinformation CRD.
- name: POD_NAME
@@ -92,6 +151,19 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
+ {{- if eq .Values.trafficEncryptionMode "ipsec" }}
+ # Pre-shared key for IPsec IKE.
+ - name: ANTREA_IPSEC_PSK
+ valueFrom:
+ secretKeyRef:
+ name: antrea-ipsec
+ key: psk
+ {{- end }}
+ {{- range $k, $v := .Values.agent.antreaAgent.extraEnv }}
+ - name: {{ $k | quote }}
+ value: {{ $v | quote }}
+ {{- end }}
+ resources: {{- .Values.agent.antreaAgent.resources | toYaml | nindent 12 }}
ports:
- containerPort: 10350
name: api
@@ -155,13 +227,29 @@ spec:
mountPropagation: HostToContainer
- name: xtables-lock
mountPath: /run/xtables.lock
+ {{- if .Values.whereabouts.enable }}
+ - name: whereabouts-cni-conf
+ mountPath: /host/etc/cni/net.d/whereabouts.d
+ - name: whereabouts-secret
+ mountPath: /var/run/secrets/whereabouts
+ {{- end }}
+ {{- with .Values.agent.antreaAgent.extraVolumeMounts }}
+ {{- toYaml . | trim | nindent 10 }}
+ {{- end }}
- name: antrea-ovs
- image: antrea
- resources:
- requests:
- cpu: "200m"
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ resources: {{- .Values.agent.antreaOVS.resources | toYaml | nindent 12 }}
command: ["start_ovs"]
- args: ["--log_file_max_size=100", "--log_file_max_num=4"]
+ args:
+ - "--log_file_max_size={{ .Values.agent.antreaOVS.logFileMaxSize }}"
+ - "--log_file_max_num={{ .Values.agent.antreaOVS.logFileMaxNum }}"
+ {{- if .Values.hwOffload }}
+ - "--hw-offload"
+ {{- end }}
+ {{- with .Values.agent.antreaOVS.extraArgs }}
+ {{- toYaml . | trim | nindent 12 }}
+ {{- end }}
securityContext:
# capabilities required by OVS daemons
capabilities:
@@ -189,6 +277,35 @@ spec:
- name: host-var-log-antrea
mountPath: /var/log/openvswitch
subPath: openvswitch
+ {{- if eq .Values.trafficEncryptionMode "ipsec" }}
+ - name: antrea-ipsec
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ resources: {{- .Values.agent.antreaIPsec.resources | toYaml | nindent 12 }}
+ command: ["start_ovs_ipsec"]
+ livenessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - timeout 5 container_liveness_probe ovs-ipsec
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ securityContext:
+ capabilities:
+ add:
+ - NET_ADMIN
+ volumeMounts:
+ - name: host-var-run-antrea
+ mountPath: /var/run/openvswitch
+ subPath: openvswitch
+ - name: host-var-log-antrea
+ mountPath: /var/log/openvswitch
+ subPath: openvswitch
+ - name: host-var-log-antrea
+ mountPath: /var/log/strongswan
+ subPath: strongswan
+ {{- end }}
volumes:
- name: antrea-config
configMap:
@@ -198,7 +315,7 @@ spec:
path: /etc/cni/net.d
- name: host-cni-bin
hostPath:
- path: /opt/cni/bin
+ path: {{ .Values.cni.hostBinPath }}
- name: host-proc
hostPath:
path: /proc
@@ -223,3 +340,14 @@ spec:
hostPath:
path: /run/xtables.lock
type: FileOrCreate
+ {{- with .Values.agent.extraVolumes }}
+ {{- toYaml . | trim | nindent 8 }}
+ {{- end }}
+ {{- if .Values.whereabouts.enable }}
+ - hostPath:
+ path: /host/etc/cni/net.d/whereabouts.d
+ name: whereabouts-cni-conf
+ - name: whereabouts-secret
+ secret:
+ secretName: whereabouts-cni-secret
+ {{- end }}
diff --git a/build/charts/antrea/templates/agent/ipsec-secret.yaml b/build/charts/antrea/templates/agent/ipsec-secret.yaml
new file mode 100644
index 00000000000..a49848233aa
--- /dev/null
+++ b/build/charts/antrea/templates/agent/ipsec-secret.yaml
@@ -0,0 +1,13 @@
+{{- if eq .Values.trafficEncryptionMode "ipsec" }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: antrea-ipsec
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: antrea
+type: Opaque
+stringData:
+ # Preshared Key used by IKE for authentication with peers.
+ psk: {{ .Values.ipsec.psk | quote }}
+{{- end }}
diff --git a/build/charts/antrea/templates/agent/serviceaccount.yaml b/build/charts/antrea/templates/agent/serviceaccount.yaml
new file mode 100644
index 00000000000..659b91c8c67
--- /dev/null
+++ b/build/charts/antrea/templates/agent/serviceaccount.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: antrea-agent
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: antrea
diff --git a/build/yamls/base/antctl.yml b/build/charts/antrea/templates/antctl/clusterrole.yaml
similarity index 73%
rename from build/yamls/base/antctl.yml
rename to build/charts/antrea/templates/antctl/clusterrole.yaml
index 6a3764ae560..2b60e193731 100644
--- a/build/yamls/base/antctl.yml
+++ b/build/charts/antrea/templates/antctl/clusterrole.yaml
@@ -1,14 +1,9 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: antctl
- namespace: kube-system
----
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: antctl
+ labels:
+ app: antrea
rules:
- apiGroups:
- controlplane.antrea.io
@@ -60,19 +55,3 @@ rules:
- /featuregates
verbs:
- get
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: antrea
- name: antctl
- namespace: kube-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: antctl
-subjects:
- - kind: ServiceAccount
- name: antctl
- namespace: kube-system
diff --git a/build/charts/antrea/templates/antctl/clusterrolebinding.yaml b/build/charts/antrea/templates/antctl/clusterrolebinding.yaml
new file mode 100644
index 00000000000..3f0a9713920
--- /dev/null
+++ b/build/charts/antrea/templates/antctl/clusterrolebinding.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app: antrea
+ name: antctl
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: antctl
+subjects:
+ - kind: ServiceAccount
+ name: antctl
+ namespace: {{ .Release.Namespace }}
diff --git a/build/charts/antrea/templates/antctl/serviceaccount.yaml b/build/charts/antrea/templates/antctl/serviceaccount.yaml
new file mode 100644
index 00000000000..64e57a4b318
--- /dev/null
+++ b/build/charts/antrea/templates/antctl/serviceaccount.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: antctl
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: antrea
diff --git a/build/yamls/base/cluster-identity-reader.yml b/build/charts/antrea/templates/cluster-identity-reader/clusterrolebinding.yaml
similarity index 90%
rename from build/yamls/base/cluster-identity-reader.yml
rename to build/charts/antrea/templates/cluster-identity-reader/clusterrolebinding.yaml
index d2d93f54859..6b0db36d256 100644
--- a/build/yamls/base/cluster-identity-reader.yml
+++ b/build/charts/antrea/templates/cluster-identity-reader/clusterrolebinding.yaml
@@ -2,6 +2,8 @@ kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: antrea-cluster-identity-reader
+ labels:
+ app: antrea
rules:
- apiGroups:
- ""
diff --git a/build/charts/antrea/templates/configmap.yaml b/build/charts/antrea/templates/configmap.yaml
new file mode 100644
index 00000000000..4d749dec75d
--- /dev/null
+++ b/build/charts/antrea/templates/configmap.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: antrea-config
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: antrea
+data:
+{{ tpl (.Files.Glob "conf/*").AsConfig . | indent 2 | replace " \n" "\n" }}
diff --git a/build/charts/antrea/templates/controller/apiservices.yaml b/build/charts/antrea/templates/controller/apiservices.yaml
new file mode 100644
index 00000000000..c6b0a531edc
--- /dev/null
+++ b/build/charts/antrea/templates/controller/apiservices.yaml
@@ -0,0 +1,44 @@
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+ name: v1beta2.controlplane.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: controlplane.antrea.io
+ groupPriorityMinimum: 100
+ version: v1beta2
+ versionPriority: 100
+ service:
+ name: antrea
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+ name: v1beta1.system.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: system.antrea.io
+ groupPriorityMinimum: 100
+ version: v1beta1
+ versionPriority: 100
+ service:
+ name: antrea
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+ name: v1alpha1.stats.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: stats.antrea.io
+ groupPriorityMinimum: 100
+ version: v1alpha1
+ versionPriority: 100
+ service:
+ name: antrea
+ namespace: {{ .Release.Namespace }}
diff --git a/build/yamls/base/controller-rbac.yml b/build/charts/antrea/templates/controller/clusterrole.yaml
similarity index 92%
rename from build/yamls/base/controller-rbac.yml
rename to build/charts/antrea/templates/controller/clusterrole.yaml
index 1952ea3bc6d..2a5f043af35 100644
--- a/build/yamls/base/controller-rbac.yml
+++ b/build/charts/antrea/templates/controller/clusterrole.yaml
@@ -1,14 +1,9 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: antrea-controller
- namespace: kube-system
----
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: antrea-controller
+ labels:
+ app: antrea
rules:
- apiGroups:
- ""
@@ -124,6 +119,9 @@ rules:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
resourceNames:
+ # always give permissions for labelsmutator.antrea.io, even when the
+ # feature is disabled, to avoid errors in antrea-controller when updating
+ # the CA cert.
- labelsmutator.antrea.io
- crdmutator.antrea.io
- crdvalidator.antrea.io
@@ -244,16 +242,3 @@ rules:
- get
- list
- watch
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: antrea-controller
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: antrea-controller
-subjects:
- - kind: ServiceAccount
- name: antrea-controller
- namespace: kube-system
diff --git a/build/charts/antrea/templates/controller/clusterrolebinding.yaml b/build/charts/antrea/templates/controller/clusterrolebinding.yaml
new file mode 100644
index 00000000000..010461d471e
--- /dev/null
+++ b/build/charts/antrea/templates/controller/clusterrolebinding.yaml
@@ -0,0 +1,14 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-controller
+ labels:
+ app: antrea
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: antrea-controller
+subjects:
+ - kind: ServiceAccount
+ name: antrea-controller
+ namespace: {{ .Release.Namespace }}
diff --git a/build/charts/antrea/templates/controller/deployment.yaml b/build/charts/antrea/templates/controller/deployment.yaml
new file mode 100644
index 00000000000..8f00801da97
--- /dev/null
+++ b/build/charts/antrea/templates/controller/deployment.yaml
@@ -0,0 +1,156 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: antrea-controller
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: antrea
+ component: antrea-controller
+spec:
+ strategy:
+ # Ensure the existing Pod is stopped before the new one is created.
+ type: Recreate
+ selector:
+ matchLabels:
+ app: antrea
+ component: antrea-controller
+ replicas: 1
+ template:
+ metadata:
+ annotations:
+ # Automatically restart Pod if the ConfigMap changes
+ # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
+ checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+ {{- with .Values.controller.podAnnotations }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ app: antrea
+ component: antrea-controller
+ {{- with .Values.controller.podLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- with .Values.controller.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ hostNetwork: true
+ priorityClassName: {{ .Values.controller.priorityClassName }}
+ {{- with .Values.controller.tolerations }}
+ tolerations:
+ {{- toYaml . | trim | nindent 8 }}
+ {{- end }}
+ {{- if .Values.testing.simulator.enable }}
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: antrea/instance
+ operator: NotIn
+ values:
+ - simulator
+ {{- else }}
+ {{- with .Values.controller.affinity }}
+ affinity:
+ {{- toYaml . | trim | nindent 8 }}
+ {{- end }}
+ {{- end }}
+ serviceAccountName: antrea-controller
+ containers:
+ - name: antrea-controller
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ resources: {{- .Values.controller.antreaController.resources | toYaml | nindent 12 }}
+ {{- if ((.Values.testing).coverage) }}
+ command: ["/bin/sh"]
+ args: ["-c", "antrea-controller-coverage -test.run=TestBincoverRunMain -test.coverprofile=antrea-controller.cov.out -args-file=/controller-arg-file; while true; do sleep 5 & wait $!; done"]
+ {{- else }}
+ command: ["antrea-controller"]
+ # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).
+ args:
+ - "--config=/etc/antrea/antrea-controller.conf"
+ - "--logtostderr=false"
+ - "--log_dir=/var/log/antrea"
+ - "--alsologtostderr"
+ - "--log_file_max_size={{ .Values.controller.antreaController.logFileMaxSize }}"
+ - "--log_file_max_num={{ .Values.controller.antreaController.logFileMaxNum }}"
+ {{- if .Values.logVerbosity }}
+ - "--v={{ .Values.logVerbosity }}"
+ {{- end }}
+ {{- with .Values.controller.antreaController.extraArgs }}
+ {{- toYaml . | trim | nindent 12 }}
+ {{- end }}
+ {{- end }}
+ env:
+ # Provide pod and node information for clusterinformation CRD.
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ # Provide ServiceAccount name for validation webhook.
+ - name: SERVICEACCOUNT_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: ANTREA_CONFIG_MAP_NAME
+ value: antrea-config
+ {{- range $k, $v := .Values.controller.antreaController.extraEnv }}
+ - name: {{ $k | quote }}
+ value: {{ $v | quote }}
+ {{- end }}
+ ports:
+ - containerPort: 10349
+ name: api
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ host: localhost
+ path: /readyz
+ port: api
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ failureThreshold: 5
+ livenessProbe:
+ httpGet:
+ host: localhost
+ path: /livez
+ port: api
+ scheme: HTTPS
+ timeoutSeconds: 5
+ periodSeconds: 10
+ failureThreshold: 5
+ volumeMounts:
+ - name: antrea-config
+ mountPath: /etc/antrea/antrea-controller.conf
+ subPath: antrea-controller.conf
+ readOnly: true
+ - name: antrea-controller-tls
+ mountPath: /var/run/antrea/antrea-controller-tls
+ - name: host-var-log-antrea
+ mountPath: /var/log/antrea
+ volumes:
+ - name: antrea-config
+ configMap:
+ name: antrea-config
+ # Make it optional as we only read it when selfSignedCert=false.
+ - name: antrea-controller-tls
+ secret:
+ secretName: antrea-controller-tls
+ defaultMode: 0400
+ optional: true
+ - name: host-var-log-antrea
+ hostPath:
+ path: /var/log/antrea
+ type: DirectoryOrCreate
diff --git a/build/charts/antrea/templates/controller/service.yaml b/build/charts/antrea/templates/controller/service.yaml
new file mode 100644
index 00000000000..118f183f488
--- /dev/null
+++ b/build/charts/antrea/templates/controller/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: antrea
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: antrea
+spec:
+ ports:
+ - port: 443
+ protocol: TCP
+ targetPort: api
+ selector:
+ app: antrea
+ component: antrea-controller
diff --git a/build/charts/antrea/templates/controller/serviceaccount.yaml b/build/charts/antrea/templates/controller/serviceaccount.yaml
new file mode 100644
index 00000000000..94046c25030
--- /dev/null
+++ b/build/charts/antrea/templates/controller/serviceaccount.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: antrea-controller
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: antrea
diff --git a/build/yamls/base/crds-rbac.yml b/build/charts/antrea/templates/crds-rbac/clusterroles.yaml
similarity index 96%
rename from build/yamls/base/crds-rbac.yml
rename to build/charts/antrea/templates/crds-rbac/clusterroles.yaml
index 3ddc3ac9167..e076228450b 100644
--- a/build/yamls/base/crds-rbac.yml
+++ b/build/charts/antrea/templates/crds-rbac/clusterroles.yaml
@@ -1,9 +1,9 @@
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: aggregate-antrea-policies-edit
labels:
+ app: antrea
# Add these permissions to the "admin" and "edit" default roles.
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
@@ -17,6 +17,7 @@ apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: aggregate-antrea-policies-view
labels:
+ app: antrea
# Add these permissions to the "view" default role.
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
@@ -29,6 +30,7 @@ kind: ClusterRole
metadata:
name: aggregate-traceflows-edit
labels:
+ app: antrea
# Add these permissions to the "admin" and "edit" default roles.
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
@@ -42,6 +44,7 @@ apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: aggregate-traceflows-view
labels:
+ app: antrea
# Add these permissions to the "view" default role.
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
@@ -54,6 +57,7 @@ kind: ClusterRole
metadata:
name: aggregate-antrea-clustergroups-edit
labels:
+ app: antrea
# Add these permissions to the "admin" and "edit" default roles.
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
@@ -67,10 +71,10 @@ apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: aggregate-antrea-clustergroups-view
labels:
+ app: antrea
# Add these permissions to the "view" default role.
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: ["crd.antrea.io"]
resources: ["clustergroups"]
verbs: ["get", "list", "watch"]
----
diff --git a/build/charts/antrea/templates/crds/antreaagentinfo.yaml b/build/charts/antrea/templates/crds/antreaagentinfo.yaml
new file mode 100644
index 00000000000..e81509d2ce1
--- /dev/null
+++ b/build/charts/antrea/templates/crds/antreaagentinfo.yaml
@@ -0,0 +1,52 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: antreaagentinfos.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ additionalPrinterColumns:
+ - description: Health status of this Agent
+ jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status"
+ name: Healthy
+ type: string
+ - description: Last time the Healthy Condition was updated
+ jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime"
+ name: Last Heartbeat
+ type: date
+ - description: Version of this Agent
+ jsonPath: ".version"
+ name: Version
+ type: string
+ priority: 1
+ - description: Node on which this Agent is running
+ jsonPath: ".nodeRef.name"
+ name: Node
+ type: string
+ priority: 1
+ - description: Number of local Pods managed by this Agent
+ jsonPath: ".localPodNum"
+ name: Num Pods
+ type: integer
+ priority: 2
+ - description: Subnets used by this Agent for Pod IPAM
+ jsonPath: ".nodeSubnets"
+ name: Subnets
+ type: string
+ priority: 2
+ scope: Cluster
+ names:
+ plural: antreaagentinfos
+ singular: antreaagentinfo
+ kind: AntreaAgentInfo
+ shortNames:
+ - aai
diff --git a/build/charts/antrea/templates/crds/antreacontrollerinfo.yaml b/build/charts/antrea/templates/crds/antreacontrollerinfo.yaml
new file mode 100644
index 00000000000..d3cc473c5f2
--- /dev/null
+++ b/build/charts/antrea/templates/crds/antreacontrollerinfo.yaml
@@ -0,0 +1,52 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: antreacontrollerinfos.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ additionalPrinterColumns:
+ - description: Health status of the Controller
+ jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status"
+ name: Healthy
+ type: string
+ - description: Last time the Healthy Condition was updated
+ jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime"
+ name: Last Heartbeat
+ type: date
+ - description: Version of the Controller
+ jsonPath: ".version"
+ name: Version
+ type: string
+ priority: 1
+ - description: Number of Agents connected to the Controller
+ jsonPath: ".connectedAgentNum"
+ name: Connected Agents
+ type: integer
+ priority: 1
+ - description: Node on which the Controller is running
+ jsonPath: ".nodeRef.name"
+ name: Node
+ type: string
+ priority: 1
+ - description: Number of Network Policies computed by Controller
+ jsonPath: ".networkPolicyControllerInfo.networkPolicyNum"
+ name: Num Network Policies
+ type: integer
+ priority: 2
+ scope: Cluster
+ names:
+ plural: antreacontrollerinfos
+ singular: antreacontrollerinfo
+ kind: AntreaControllerInfo
+ shortNames:
+ - aci
diff --git a/build/charts/antrea/templates/crds/clustergroup.yaml b/build/charts/antrea/templates/crds/clustergroup.yaml
new file mode 100644
index 00000000000..8989b1ce9b0
--- /dev/null
+++ b/build/charts/antrea/templates/crds/clustergroup.yaml
@@ -0,0 +1,263 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: clustergroups.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: false
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ type: object
+ properties:
+ childGroups:
+ type: array
+ items:
+ type: string
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ ipBlocks:
+ type: array
+ items:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ serviceReference:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ status:
+ type: object
+ properties:
+ conditions:
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ type: string
+ status:
+ type: string
+ lastTransitionTime:
+ type: string
+ - name: v1alpha3
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ type: object
+ properties:
+ childGroups:
+ type: array
+ items:
+ type: string
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlocks:
+ type: array
+ items:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ serviceReference:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ status:
+ type: object
+ properties:
+ conditions:
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ type: string
+ status:
+ type: string
+ lastTransitionTime:
+ type: string
+ subresources:
+ status: {}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions: ["v1", "v1beta1"]
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: "kube-system"
+ path: "/convert/clustergroup"
+ scope: Cluster
+ names:
+ plural: clustergroups
+ singular: clustergroup
+ kind: ClusterGroup
+ shortNames:
+ - cg
diff --git a/build/charts/antrea/templates/crds/clusternetworkpolicy.yaml b/build/charts/antrea/templates/crds/clusternetworkpolicy.yaml
new file mode 100644
index 00000000000..b2a654a391f
--- /dev/null
+++ b/build/charts/antrea/templates/crds/clusternetworkpolicy.yaml
@@ -0,0 +1,541 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: clusternetworkpolicies.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - name: Tier
+ type: string
+ description: The Tier to which this ClusterNetworkPolicy belongs to.
+ jsonPath: .spec.tier
+ - name: Priority
+ type: number
+ format: float
+ description: The Priority of this ClusterNetworkPolicy relative to other policies.
+ jsonPath: .spec.priority
+ - name: Desired Nodes
+ type: number
+ format: int32
+ description: The total number of Nodes that should realize the NetworkPolicy.
+ jsonPath: .status.desiredNodesRealized
+ - name: Current Nodes
+ type: number
+ format: int32
+ description: The number of Nodes that have realized the NetworkPolicy.
+ jsonPath: .status.currentNodesRealized
+ - name: Age
+ type: date
+ jsonPath: .metadata.creationTimestamp
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ # Ensure that Spec.Priority field is set
+ required:
+ - priority
+ type: object
+ properties:
+ tier:
+ type: string
+ priority:
+ type: number
+ format: float
+ # Ensure that Spec.Priority field is between 1 and 10000
+ minimum: 1.0
+ maximum: 10000.0
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that Spec.AppliedTo does not allow IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ ingress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ from:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaces:
+ type: object
+ properties:
+ match:
+ enum:
+ - Self
+ type: string
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ egress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ to:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaces:
+ type: object
+ properties:
+ match:
+ type: string
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ group:
+ type: string
+ fqdn:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ toServices:
+ type: array
+ items:
+ type: object
+ required:
+ - name
+ - namespace
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ status:
+ type: object
+ properties:
+ phase:
+ type: string
+ observedGeneration:
+ type: integer
+ currentNodesRealized:
+ type: integer
+ desiredNodesRealized:
+ type: integer
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: clusternetworkpolicies
+ singular: clusternetworkpolicy
+ kind: ClusterNetworkPolicy
+ shortNames:
+ - acnp
diff --git a/build/charts/antrea/templates/crds/egress.yaml b/build/charts/antrea/templates/crds/egress.yaml
new file mode 100644
index 00000000000..bcdfea97652
--- /dev/null
+++ b/build/charts/antrea/templates/crds/egress.yaml
@@ -0,0 +1,112 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: egresses.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ type: object
+ required:
+ - appliedTo
+ anyOf:
+ - required:
+ - egressIP
+ - required:
+ - externalIPPool
+ properties:
+ appliedTo:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ egressIP:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ externalIPPool:
+ type: string
+ status:
+ type: object
+ properties:
+ egressNode:
+ type: string
+ additionalPrinterColumns:
+ - description: Specifies the SNAT IP address for the selected workloads.
+ jsonPath: .spec.egressIP
+ name: EgressIP
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: The Owner Node of egress IP
+ jsonPath: .status.egressNode
+ name: Node
+ type: string
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: egresses
+ singular: egress
+ kind: Egress
+ shortNames:
+ - eg
diff --git a/build/charts/antrea/templates/crds/externalentity.yaml b/build/charts/antrea/templates/crds/externalentity.yaml
new file mode 100644
index 00000000000..bfa251ebe57
--- /dev/null
+++ b/build/charts/antrea/templates/crds/externalentity.yaml
@@ -0,0 +1,58 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: externalentities.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ type: object
+ properties:
+ endpoints:
+ type: array
+ items:
+ type: object
+ properties:
+ ip:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ name:
+ type: string
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ name:
+ type: string
+ externalNode:
+ type: string
+ - name: v1alpha1
+ served: false
+ storage: false
+ schema:
+ openAPIV3Schema:
+ type: object
+ scope: Namespaced
+ names:
+ plural: externalentities
+ singular: externalentity
+ kind: ExternalEntity
+ shortNames:
+ - ee
diff --git a/build/charts/antrea/templates/crds/externalippool.yaml b/build/charts/antrea/templates/crds/externalippool.yaml
new file mode 100644
index 00000000000..080c0c620c0
--- /dev/null
+++ b/build/charts/antrea/templates/crds/externalippool.yaml
@@ -0,0 +1,103 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: externalippools.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ type: object
+ required:
+ - ipRanges
+ - nodeSelector
+ properties:
+ ipRanges:
+ type: array
+ items:
+ type: object
+ oneOf:
+ - required:
+ - cidr
+ - required:
+ - start
+ - end
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ start:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ end:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ status:
+ type: object
+ properties:
+ usage:
+ type: object
+ properties:
+ total:
+ type: integer
+ used:
+ type: integer
+ additionalPrinterColumns:
+ - description: The number of total IPs
+ jsonPath: .status.usage.total
+ name: Total
+ type: integer
+ - description: The number of allocated IPs
+ jsonPath: .status.usage.used
+ name: Used
+ type: integer
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: externalippools
+ singular: externalippool
+ kind: ExternalIPPool
+ shortNames:
+ - eip
diff --git a/build/charts/antrea/templates/crds/ippool.yaml b/build/charts/antrea/templates/crds/ippool.yaml
new file mode 100644
index 00000000000..32529c81e51
--- /dev/null
+++ b/build/charts/antrea/templates/crds/ippool.yaml
@@ -0,0 +1,109 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: ippools.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ required:
+ - ipVersion
+ - ipRanges
+ type: object
+ properties:
+ ipVersion:
+ type: integer
+ ipRanges:
+ items:
+ oneOf:
+ - required:
+ - cidr
+ - gateway
+ - prefixLength
+ - required:
+ - start
+ - end
+ - gateway
+ - prefixLength
+ properties:
+ cidr:
+ format: cidr
+ type: string
+ start:
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ type: string
+ end:
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ type: string
+ gateway:
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ type: string
+ prefixLength:
+ type: integer
+ vlan:
+ type: integer
+ minimum: 0
+ maximum: 4094
+ type: object
+ type: array
+ status:
+ properties:
+ ipAddresses:
+ items:
+ properties:
+ ipAddress:
+ type: string
+ owner:
+ properties:
+ pod:
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ containerID:
+ type: string
+ ifName:
+ type: string
+ type: object
+ statefulSet:
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ index:
+ type: integer
+ type: object
+ type: object
+ phase:
+ type: string
+ type: object
+ type: array
+ type: object
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: ippools
+ singular: ippool
+ kind: IPPool
+ shortNames:
+ - ipp
diff --git a/build/charts/antrea/templates/crds/networkpolicy.yaml b/build/charts/antrea/templates/crds/networkpolicy.yaml
new file mode 100644
index 00000000000..6cdeb5aa50b
--- /dev/null
+++ b/build/charts/antrea/templates/crds/networkpolicy.yaml
@@ -0,0 +1,444 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: networkpolicies.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - name: Tier
+ type: string
+ description: The Tier to which this Antrea NetworkPolicy belongs to.
+ jsonPath: .spec.tier
+ - name: Priority
+ type: number
+ format: float
+ description: The Priority of this Antrea NetworkPolicy relative to other policies.
+ jsonPath: .spec.priority
+ - name: Desired Nodes
+ type: number
+ format: int32
+ description: The total number of Nodes that should realize the NetworkPolicy.
+ jsonPath: .status.desiredNodesRealized
+ - name: Current Nodes
+ type: number
+ format: int32
+ description: The number of Nodes that have realized the NetworkPolicy.
+ jsonPath: .status.currentNodesRealized
+ - name: Age
+ type: date
+ jsonPath: .metadata.creationTimestamp
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ # Ensure that Spec.Priority field is set
+ required:
+ - priority
+ type: object
+ properties:
+ tier:
+ type: string
+ priority:
+ type: number
+ format: float
+ # Ensure that Spec.Priority field is between 1 and 10000
+ minimum: 1.0
+ maximum: 10000.0
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ingress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ from:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ egress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ to:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ fqdn:
+ type: string
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ toServices:
+ type: array
+ items:
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ status:
+ type: object
+ properties:
+ phase:
+ type: string
+ observedGeneration:
+ type: integer
+ currentNodesRealized:
+ type: integer
+ desiredNodesRealized:
+ type: integer
+ subresources:
+ status: {}
+ scope: Namespaced
+ names:
+ plural: networkpolicies
+ singular: networkpolicy
+ kind: NetworkPolicy
+ shortNames:
+ - anp
diff --git a/build/charts/antrea/templates/crds/tier.yaml b/build/charts/antrea/templates/crds/tier.yaml
new file mode 100644
index 00000000000..1ee1a1ce5fe
--- /dev/null
+++ b/build/charts/antrea/templates/crds/tier.yaml
@@ -0,0 +1,42 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: tiers.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - name: Priority
+ type: integer
+ description: The Priority of this Tier relative to other Tiers.
+ jsonPath: .spec.priority
+ - name: Age
+ type: date
+ jsonPath: .metadata.creationTimestamp
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ required:
+ - priority
+ type: object
+ properties:
+ priority:
+ type: integer
+ minimum: 0
+ maximum: 255
+ description:
+ type: string
+ scope: Cluster
+ names:
+ plural: tiers
+ singular: tier
+ kind: Tier
+ shortNames:
+ - tr
diff --git a/build/charts/antrea/templates/crds/traceflow.yaml b/build/charts/antrea/templates/crds/traceflow.yaml
new file mode 100644
index 00000000000..45d00fbb275
--- /dev/null
+++ b/build/charts/antrea/templates/crds/traceflow.yaml
@@ -0,0 +1,251 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: traceflows.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - jsonPath: .status.phase
+ description: The phase of the Traceflow.
+ name: Phase
+ type: string
+ - jsonPath: .spec.source.pod
+ description: The name of the source Pod.
+ name: Source-Pod
+ type: string
+ priority: 10
+ - jsonPath: .spec.destination.pod
+ description: The name of the destination Pod.
+ name: Destination-Pod
+ type: string
+ priority: 10
+ - jsonPath: .spec.destination.ip
+ description: The IP address of the destination.
+ name: Destination-IP
+ type: string
+ priority: 10
+ - jsonPath: .spec.liveTraffic
+ description: Trace live traffic.
+ name: Live-Traffic
+ type: boolean
+ priority: 10
+ - jsonPath: .spec.droppedOnly
+ description: Capture only the dropped packet.
+ name: Dropped-Only
+ type: boolean
+ priority: 10
+ - jsonPath: .spec.timeout
+ description: Timeout in seconds.
+ name: Timeout
+ type: integer
+ priority: 10
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ type: object
+ properties:
+ source:
+ type: object
+ properties:
+ pod:
+ type: string
+ namespace:
+ type: string
+ ip:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ destination:
+ type: object
+ properties:
+ pod:
+ type: string
+ service:
+ type: string
+ namespace:
+ type: string
+ ip:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ packet:
+ type: object
+ properties:
+ ipHeader:
+ type: object
+ properties:
+ srcIP:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ protocol:
+ type: integer
+ ttl:
+ type: integer
+ flags:
+ type: integer
+ ipv6Header:
+ type: object
+ properties:
+ srcIP:
+ type: string
+ format: ipv6
+ nextHeader:
+ type: integer
+ hopLimit:
+ type: integer
+ transportHeader:
+ type: object
+ properties:
+ icmp:
+ type: object
+ properties:
+ id:
+ type: integer
+ sequence:
+ type: integer
+ udp:
+ type: object
+ properties:
+ srcPort:
+ type: integer
+ dstPort:
+ type: integer
+ tcp:
+ type: object
+ properties:
+ srcPort:
+ type: integer
+ dstPort:
+ type: integer
+ flags:
+ type: integer
+ liveTraffic:
+ type: boolean
+ droppedOnly:
+ type: boolean
+ timeout:
+ type: integer
+ status:
+ type: object
+ properties:
+ reason:
+ type: string
+ dataplaneTag:
+ type: integer
+ phase:
+ type: string
+ startTime:
+ type: string
+ results:
+ type: array
+ items:
+ type: object
+ properties:
+ node:
+ type: string
+ role:
+ type: string
+ timestamp:
+ type: integer
+ observations:
+ type: array
+ items:
+ type: object
+ properties:
+ component:
+ type: string
+ componentInfo:
+ type: string
+ action:
+ type: string
+ pod:
+ type: string
+ dstMAC:
+ type: string
+ networkPolicy:
+ type: string
+ ttl:
+ type: integer
+ translatedSrcIP:
+ type: string
+ translatedDstIP:
+ type: string
+ tunnelDstIP:
+ type: string
+ capturedPacket:
+ properties:
+ srcIP:
+ type: string
+ dstIP:
+ type: string
+ length:
+ type: integer
+ ipHeader:
+ properties:
+ flags:
+ type: integer
+ protocol:
+ type: integer
+ ttl:
+ type: integer
+ type: object
+ ipv6Header:
+ properties:
+ hopLimit:
+ type: integer
+ nextHeader:
+ type: integer
+ type: object
+ transportHeader:
+ properties:
+ tcp:
+ properties:
+ dstPort:
+ type: integer
+ srcPort:
+ type: integer
+ flags:
+ type: integer
+ type: object
+ udp:
+ properties:
+ dstPort:
+ type: integer
+ srcPort:
+ type: integer
+ type: object
+ icmp:
+ properties:
+ id:
+ type: integer
+ sequence:
+ type: integer
+ type: object
+ type: object
+ type: object
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: traceflows
+ singular: traceflow
+ kind: Traceflow
+ shortNames:
+ - tf
diff --git a/build/charts/antrea/templates/simulator/configmap.yaml b/build/charts/antrea/templates/simulator/configmap.yaml
new file mode 100644
index 00000000000..b4f4010ea83
--- /dev/null
+++ b/build/charts/antrea/templates/simulator/configmap.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.testing.simulator.enable }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: node-configmap
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: antrea
+data:
+ content.type: test-cluster
+{{- end }}
diff --git a/build/yamls/patches/simulator/antrea-agent-simulator.yml b/build/charts/antrea/templates/simulator/statefulset.yaml
similarity index 96%
rename from build/yamls/patches/simulator/antrea-agent-simulator.yml
rename to build/charts/antrea/templates/simulator/statefulset.yaml
index d66b83f904c..3b88accb1bb 100644
--- a/build/yamls/patches/simulator/antrea-agent-simulator.yml
+++ b/build/charts/antrea/templates/simulator/statefulset.yaml
@@ -1,17 +1,11 @@
----
-apiVersion: v1
-data:
- content.type: test-cluster
-kind: ConfigMap
-metadata:
- name: node-configmap
- namespace: kube-system
----
+{{- if .Values.testing.simulator.enable }}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: antrea-agent-simulator
- namespace: kube-system
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: antrea
spec:
podManagementPolicy: Parallel
replicas: 1
@@ -151,3 +145,4 @@ spec:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
+{{- end }}
diff --git a/build/charts/antrea/templates/webhooks/mutating/crdmutator.yaml b/build/charts/antrea/templates/webhooks/mutating/crdmutator.yaml
new file mode 100644
index 00000000000..f87e33111de
--- /dev/null
+++ b/build/charts/antrea/templates/webhooks/mutating/crdmutator.yaml
@@ -0,0 +1,37 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+ name: "crdmutator.antrea.io"
+ labels:
+ app: antrea
+webhooks:
+ - name: "acnpmutator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: {{ .Release.Namespace }}
+ path: "/mutate/acnp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["clusternetworkpolicies"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "anpmutator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: {{ .Release.Namespace }}
+ path: "/mutate/anp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["networkpolicies"]
+ scope: "Namespaced"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
diff --git a/build/yamls/patches/admissioncontroller/webhook.yml b/build/charts/antrea/templates/webhooks/mutating/labelsmutator.yaml
similarity index 86%
rename from build/yamls/patches/admissioncontroller/webhook.yml
rename to build/charts/antrea/templates/webhooks/mutating/labelsmutator.yaml
index b36ac0edeb1..f87a49e30db 100644
--- a/build/yamls/patches/admissioncontroller/webhook.yml
+++ b/build/charts/antrea/templates/webhooks/mutating/labelsmutator.yaml
@@ -1,7 +1,10 @@
+{{- if .Values.webhooks.labelsMutator.enable }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: "labelsmutator.antrea.io"
+ labels:
+ app: antrea
webhooks:
- name: "namelabelmutator.antrea.io"
clientConfig:
@@ -18,3 +21,4 @@ webhooks:
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
+{{- end }}
diff --git a/build/charts/antrea/templates/webhooks/validating/crdvalidator.yaml b/build/charts/antrea/templates/webhooks/validating/crdvalidator.yaml
new file mode 100644
index 00000000000..6cd661c3eeb
--- /dev/null
+++ b/build/charts/antrea/templates/webhooks/validating/crdvalidator.yaml
@@ -0,0 +1,112 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: "crdvalidator.antrea.io"
+ labels:
+ app: antrea
+webhooks:
+ - name: "tiervalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: {{ .Release.Namespace }}
+ path: "/validate/tier"
+ rules:
+ - operations: ["CREATE", "UPDATE", "DELETE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["tiers"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "acnpvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: {{ .Release.Namespace }}
+ path: "/validate/acnp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["clusternetworkpolicies"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "anpvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: {{ .Release.Namespace }}
+ path: "/validate/anp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["networkpolicies"]
+ scope: "Namespaced"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "clustergroupvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: {{ .Release.Namespace }}
+ path: "/validate/clustergroup"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha3", "v1alpha2"]
+ resources: ["clustergroups"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "externalippoolvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: {{ .Release.Namespace }}
+ path: "/validate/externalippool"
+ rules:
+ - operations: ["UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha2"]
+ resources: ["externalippools"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "egressvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: {{ .Release.Namespace }}
+ path: "/validate/egress"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha2"]
+ resources: ["egresses"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "ippoolvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: {{ .Release.Namespace }}
+ path: "/validate/ippool"
+ rules:
+ - operations: ["CREATE", "UPDATE", "DELETE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha2"]
+ resources: ["ippools"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
diff --git a/build/charts/antrea/templates/whereabouts/clusterrole.yaml b/build/charts/antrea/templates/whereabouts/clusterrole.yaml
new file mode 100644
index 00000000000..c7af5821866
--- /dev/null
+++ b/build/charts/antrea/templates/whereabouts/clusterrole.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.whereabouts.enable }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-agent-whereabouts
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - whereabouts.cni.cncf.io
+ resources:
+ - ippools
+ verbs:
+ - get
+ - put
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+{{- end }}
diff --git a/build/charts/antrea/templates/whereabouts/clusterrolebinding.yaml b/build/charts/antrea/templates/whereabouts/clusterrolebinding.yaml
new file mode 100644
index 00000000000..5961902f8ff
--- /dev/null
+++ b/build/charts/antrea/templates/whereabouts/clusterrolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.whereabouts.enable }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-agent-whereabouts
+ labels:
+ app: antrea
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: antrea-agent-whereabouts
+subjects:
+ - kind: ServiceAccount
+ name: antrea-agent-whereabouts
+ namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/build/charts/antrea/templates/whereabouts/secret.yaml b/build/charts/antrea/templates/whereabouts/secret.yaml
new file mode 100644
index 00000000000..fba1efd9058
--- /dev/null
+++ b/build/charts/antrea/templates/whereabouts/secret.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.whereabouts.enable }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: whereabouts-cni-secret
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ kubernetes.io/service-account.name: antrea-agent-whereabouts
+ labels:
+ app: antrea
+type: kubernetes.io/service-account-token
+{{- end }}
diff --git a/build/charts/antrea/templates/whereabouts/serviceaccount.yaml b/build/charts/antrea/templates/whereabouts/serviceaccount.yaml
new file mode 100644
index 00000000000..9129cf25470
--- /dev/null
+++ b/build/charts/antrea/templates/whereabouts/serviceaccount.yaml
@@ -0,0 +1,9 @@
+{{- if .Values.whereabouts.enable }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: antrea-agent-whereabouts
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: antrea
+{{- end }}
diff --git a/build/charts/antrea/values.yaml b/build/charts/antrea/values.yaml
new file mode 100644
index 00000000000..8a587f202b3
--- /dev/null
+++ b/build/charts/antrea/values.yaml
@@ -0,0 +1,266 @@
+# -- Container image to use for Antrea components.
+image:
+ repository: "projects.registry.vmware.com/antrea/antrea-ubuntu"
+ pullPolicy: "IfNotPresent"
+ tag: "latest"
+
+# -- Determines how traffic is encapsulated. It must be one of "encap",
+# "noEncap", "hybrid", or "networkPolicyOnly".
+trafficEncapMode: "encap"
+# -- Tunnel protocol used for encapsulating traffic across Nodes. It must be one
+# of "geneve", "vxlan", "gre", "stt".
+tunnelType: "geneve"
+# -- Determines how tunnel traffic is encrypted. Currently encryption only works
+# with encap mode.It must be one of "none", "ipsec", "wireGuard".
+trafficEncryptionMode: "none"
+# -- Enable bridging mode of Pod network on Nodes, in which the Node's transport
+# interface is connected to the OVS bridge.
+enableBridgingMode: false
+# -- Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to
+# the external network.
+noSNAT: false
+# -- Name of the interface antrea-agent will create and use for host <-> Pod
+# communication.
+hostGateway: "antrea-gw0"
+# -- Name of the interface on Node which is used for tunneling or routing the
+# traffic across Nodes.
+transportInterface: ""
+# -- Network CIDRs of the interface on Node which is used for tunneling or
+# routing the traffic across Nodes.
+transportInterfaceCIDRs: []
+# -- Names of the interfaces on Nodes that are used to forward multicast traffic.
+multicastInterfaces: []
+# -- Default MTU to use for the host gateway interface and the network interface
+# of each Pod. By default, antrea-agent will discover the MTU of the Node's
+# primary interface and adjust it to accommodate for tunnel encapsulation
+# overhead if applicable.
+defaultMTU: 0
+
+ovs:
+ # -- Name of the OVS bridge antrea-agent will create and use.
+ bridgeName: "br-int"
+ # -- Enable hardware offload for the OVS bridge (required additional
+ # configuration).
+ hwOffload: false
+
+wireGuard:
+ # -- Port for WireGuard to send and receive traffic.
+ port: 51820
+
+ipsec:
+ # -- Preshared Key (PSK) for IKE authentication. It will be stored in a secret
+ # and passed to antrea-agent as an environment variable.
+ psk: "changeme"
+
+egress:
+ # -- CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses.
+ exceptCIDRs: []
+
+nodePortLocal:
+ # -- Enable the NodePortLocal feature.
+ enable: false
+ # -- Port range used by NodePortLocal when creating Pod port mappings.
+ portRange: "61000-62000"
+
+antreaProxy:
+ # -- Proxy all Service traffic, for all Service types, regardless of where it
+ # comes from.
+ proxyAll: false
+ # -- String array of values which specifies the host IPv4/IPv6 addresses for
+ # NodePort. By default, all host addresses are used.
+ nodePortAddresses: []
+ ## -- List of Services which should be ignored by AntreaProxy.
+ skipServices: []
+ # -- When set to false, AntreaProxy no longer load-balances traffic destined
+ # to the External IPs of LoadBalancer Services.
+ proxyLoadBalancerIPs: true
+
+nodeIPAM:
+ # -- Enable Node IPAM in Antrea
+ enable: false
+ # -- CIDR ranges to use when allocating Pod IP addresses.
+ clusterCIDRs: []
+ # -- IPv4 CIDR ranges reserved for Services.
+ serviceCIDR: ""
+ # -- IPv6 CIDR ranges reserved for Services.
+ serviceCIDRv6: ""
+ # -- Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster.
+ nodeCIDRMaskSizeIPv4: 24
+ # -- Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster.
+ nodeCIDRMaskSizeIPv6: 64
+
+# -- Address of Kubernetes apiserver, to override any value provided in
+# kubeconfig or InClusterConfig.
+kubeAPIServerOverride: ""
+# -- IPv4 CIDR range used for Services. Required when AntreaProxy is disabled.
+serviceCIDR: ""
+# -- IPv6 CIDR range used for Services. Required when AntreaProxy is disabled.
+serviceCIDRv6: ""
+
+# -- Comma-separated list of cipher suites that will be used by the Antrea
+# APIservers. If empty, the default Go Cipher Suites will be used. See
+# https://golang.org/pkg/crypto/tls/#pkg-constants.
+tlsCipherSuites: ""
+# -- TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12,
+# VersionTLS13.
+tlsMinVersion: ""
+
+# -- To explicitly enable or disable a FeatureGate and bypass the Antrea
+# defaults, add an entry to the dictionary with the FeatureGate's name as the
+# key and a boolean as the value.
+featureGates: {}
+
+agent:
+ # -- Port for the antrea-agent APIServer to serve on.
+ apiPort: 10350
+ # -- Enable metrics exposure via Prometheus.
+ enablePrometheusMetrics: true
+ # -- Annotations to be added to antrea-agent Pods.
+ podAnnotations: {}
+ # -- Labels to be added to antrea-agent Pods.
+ podLabels: {}
+ # -- Tolerations for the antrea-agent Pods.
+ tolerations:
+ # Mark it as a critical add-on.
+ - key: CriticalAddonsOnly
+ operator: Exists
+ # Make sure it gets scheduled on all Nodes.
+ - effect: NoSchedule
+ operator: Exists
+ # Make sure it doesn't get evicted.
+ - effect: NoExecute
+ operator: Exists
+ # -- Node selector for the antrea-agent Pods.
+ nodeSelector:
+ kubernetes.io/os: linux
+ # -- Prority class to use for the antrea-agent Pods.
+ priorityClassName: "system-node-critical"
+ # -- Affinity for the antrea-agent Pods.
+ affinity: {}
+ # -- DNS Policy for the antrea-agent Pods.
+ dnsPolicy: "ClusterFirstWithHostNet"
+ # -- Update strategy for the antrea-agent DaemonSet.
+ updateStrategy:
+ type: RollingUpdate
+ # -- Additional volumes for antrea-agent Pods.
+ extraVolumes: []
+ installCNI:
+ # -- Resource requests and limits for the install-cni initContainer.
+ resources:
+ requests:
+ cpu: "100m"
+ antreaAgent:
+ # -- Extra environment variables to be injected into antrea-agent.
+ extraEnv: {}
+ # -- Max size in MBs of any single log file.
+ logFileMaxSize: 100
+ # -- Max number of log files.
+ logFileMaxNum: 4
+ # -- Extra command-line arguments for antrea-agent.
+ extraArgs: []
+ # -- Additional volumeMounts for the antrea-agent container.
+ extraVolumeMounts: []
+ # -- Resource requests and limits for the antrea-agent container.
+ resources:
+ requests:
+ cpu: "200m"
+ antreaOVS:
+ # -- Max size in MBs of any single log file.
+ logFileMaxSize: 100
+ # -- Max number of log files.
+ logFileMaxNum: 4
+ # -- Extra command-line arguments for antrea-ovs.
+ extraArgs: []
+ # -- Resource requests and limits for the antrea-ovs container.
+ resources:
+ requests:
+ cpu: "200m"
+ antreaIPsec:
+ # -- Resource requests and limits for the antrea-ipsec container (when IPsec
+ # is enabled).
+ resources:
+ requests:
+ cpu: "50m"
+
+controller:
+ # -- Port for the antrea-controller APIServer to serve on.
+ apiPort: 10349
+ # -- Enable metrics exposure via Prometheus.
+ enablePrometheusMetrics: true
+ # -- Annotations to be added to antrea-controller Pod.
+ podAnnotations: {}
+ # -- Labels to be added to antrea-controller Pod.
+ podLabels: {}
+ # -- Indicates whether to use auto-generated self-signed TLS certificates. If
+ # false, a Secret named "antrea-controller-tls" must be provided with the
+ # following keys: ca.crt, tls.crt, tls.key.
+ selfSignedCert: true
+ # -- Tolerations for the antrea-controller Pod.
+ tolerations:
+ # Mark it as a critical add-on.
+ - key: CriticalAddonsOnly
+ operator: Exists
+ # Allow it to schedule onto master nodes.
+ - key: node-role.kubernetes.io/master
+ effect: NoSchedule
+ # -- Node selector for the antrea-controller Pod.
+ nodeSelector:
+ kubernetes.io/os: linux
+ # -- Prority class to use for the antrea-controller Pod.
+ priorityClassName: "system-cluster-critical"
+ # -- Affinity for the antrea-controller Pod.
+ affinity: {}
+ antreaController:
+ # -- Extra environment variables to be injected into antrea-controller.
+ extraEnv: {}
+ # -- Max size in MBs of any single log file.
+ logFileMaxSize: 100
+ # -- Max number of log files.
+ logFileMaxNum: 4
+ # -- Extra command-line arguments for antrea-controller.
+ extraArgs: []
+ # -- Resource requests and limits for the antrea-controller container.
+ resources:
+ requests:
+ cpu: "200m"
+
+flowCollector:
+ # -- IPFIX collector address as a string with format :[][:].
+ collectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
+ # -- Determines how often the flow exporter polls for new connections.
+ flowPollInterval: "5s"
+ # -- timeout after which a flow record is sent to the collector for active
+ # flows.
+ activeFlowExportTimeout: "5s"
+ # -- timeout after which a flow record is sent to the collector for idle
+ # flows.
+ idleFlowExportTimeout: "15s"
+
+cni:
+ # -- Chained plugins to use alongside antrea-cni.
+ plugins:
+ portmap: true
+ bandwidth: true
+ # -- Installation path of CNI binaries on the host.
+ hostBinPath: "/opt/cni/bin"
+ # -- CNI binaries shipped with Antrea for which installation should be
+ # skipped.
+ skipBinaries: []
+
+webhooks:
+ labelsMutator:
+ ## -- Mutate all namespaces to add the "antrea.io/metadata.name" label.
+ enable: false
+
+## -- Global log verbosity switch for all Antrea components.
+logVerbosity: 0
+
+## -- Install and configure Whereabouts, for use by the antrea-agent.
+whereabouts:
+ enable: false
+
+testing:
+ ## -- enable code coverage measurement (used when testing Antrea only).
+ coverage: false
+ simulator:
+ enable: false
diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
index f5f591469c3..df3468f7844 100644
--- a/build/yamls/antrea-aks.yml
+++ b/build/yamls/antrea-aks.yml
@@ -1,2742 +1,39 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+---
+# Source: antrea/templates/agent/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
metadata:
+ name: antrea-agent
+ namespace: kube-system
labels:
app: antrea
- name: antreaagentinfos.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: AntreaAgentInfo
- plural: antreaagentinfos
- shortNames:
- - aai
- singular: antreaagentinfo
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Health status of this Agent
- jsonPath: .agentConditions[?(@.type=='AgentHealthy')].status
- name: Healthy
- type: string
- - description: Last time the Healthy Condition was updated
- jsonPath: .agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime
- name: Last Heartbeat
- type: date
- - description: Version of this Agent
- jsonPath: .version
- name: Version
- priority: 1
- type: string
- - description: Node on which this Agent is running
- jsonPath: .nodeRef.name
- name: Node
- priority: 1
- type: string
- - description: Number of local Pods managed by this Agent
- jsonPath: .localPodNum
- name: Num Pods
- priority: 2
- type: integer
- - description: Subnets used by this Agent for Pod IPAM
- jsonPath: .nodeSubnets
- name: Subnets
- priority: 2
- type: string
- name: v1beta1
- schema:
- openAPIV3Schema:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- served: true
- storage: true
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+# Source: antrea/templates/antctl/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
metadata:
+ name: antctl
+ namespace: kube-system
labels:
app: antrea
- name: antreacontrollerinfos.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: AntreaControllerInfo
- plural: antreacontrollerinfos
- shortNames:
- - aci
- singular: antreacontrollerinfo
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Health status of the Controller
- jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].status
- name: Healthy
- type: string
- - description: Last time the Healthy Condition was updated
- jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime
- name: Last Heartbeat
- type: date
- - description: Version of the Controller
- jsonPath: .version
- name: Version
- priority: 1
- type: string
- - description: Number of Agents connected to the Controller
- jsonPath: .connectedAgentNum
- name: Connected Agents
- priority: 1
- type: integer
- - description: Node on which the Controller is running
- jsonPath: .nodeRef.name
- name: Node
- priority: 1
- type: string
- - description: Number of Network Policies computed by Controller
- jsonPath: .networkPolicyControllerInfo.networkPolicyNum
- name: Num Network Policies
- priority: 2
- type: integer
- name: v1beta1
- schema:
- openAPIV3Schema:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- served: true
- storage: true
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+# Source: antrea/templates/controller/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
metadata:
+ name: antrea-controller
+ namespace: kube-system
labels:
app: antrea
- name: clustergroups.crd.antrea.io
-spec:
- conversion:
- strategy: Webhook
- webhook:
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /convert/clustergroup
- conversionReviewVersions:
- - v1
- - v1beta1
- group: crd.antrea.io
- names:
- kind: ClusterGroup
- plural: clustergroups
- shortNames:
- - cg
- singular: clustergroup
- scope: Cluster
- versions:
- - name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- childGroups:
- items:
- type: string
- type: array
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- ipBlocks:
- items:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- type: array
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceReference:
- properties:
- name:
- type: string
- namespace:
- type: string
- type: object
- type: object
- status:
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- type: string
- status:
- type: string
- type:
- type: string
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: false
- - name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- childGroups:
- items:
- type: string
- type: array
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- ipBlocks:
- items:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- type: array
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceReference:
- properties:
- name:
- type: string
- namespace:
- type: string
- type: object
- type: object
- status:
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- type: string
- status:
- type: string
- type:
- type: string
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+# Source: antrea/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
metadata:
+ name: antrea-config
+ namespace: kube-system
labels:
app: antrea
- name: clusternetworkpolicies.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: ClusterNetworkPolicy
- plural: clusternetworkpolicies
- shortNames:
- - acnp
- singular: clusternetworkpolicy
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The Tier to which this ClusterNetworkPolicy belongs to.
- jsonPath: .spec.tier
- name: Tier
- type: string
- - description: The Priority of this ClusterNetworkPolicy relative to other policies.
- format: float
- jsonPath: .spec.priority
- name: Priority
- type: number
- - description: The total number of Nodes that should realize the NetworkPolicy.
- format: int32
- jsonPath: .status.desiredNodesRealized
- name: Desired Nodes
- type: number
- - description: The number of Nodes that have realized the NetworkPolicy.
- format: int32
- jsonPath: .status.currentNodesRealized
- name: Current Nodes
- type: number
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- appliedTo:
- items:
- properties:
- group:
- type: string
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- egress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- group:
- type: string
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- to:
- items:
- properties:
- fqdn:
- type: string
- group:
- type: string
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- namespaces:
- properties:
- match:
- type: string
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- toServices:
- items:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- ingress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- group:
- type: string
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- from:
- items:
- properties:
- group:
- type: string
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- namespaces:
- properties:
- match:
- enum:
- - Self
- type: string
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- priority:
- format: float
- maximum: 10000
- minimum: 1
- type: number
- tier:
- type: string
- required:
- - priority
- type: object
- status:
- properties:
- currentNodesRealized:
- type: integer
- desiredNodesRealized:
- type: integer
- observedGeneration:
- type: integer
- phase:
- type: string
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: egresses.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: Egress
- plural: egresses
- shortNames:
- - eg
- singular: egress
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Specifies the SNAT IP address for the selected workloads.
- jsonPath: .spec.egressIP
- name: EgressIP
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- - description: The Owner Node of egress IP
- jsonPath: .status.egressNode
- name: Node
- type: string
- name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- anyOf:
- - required:
- - egressIP
- - required:
- - externalIPPool
- properties:
- appliedTo:
- properties:
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- egressIP:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- externalIPPool:
- type: string
- required:
- - appliedTo
- type: object
- status:
- properties:
- egressNode:
- type: string
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: externalentities.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: ExternalEntity
- plural: externalentities
- shortNames:
- - ee
- singular: externalentity
- scope: Namespaced
- versions:
- - name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- endpoints:
- items:
- properties:
- ip:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- name:
- type: string
- type: object
- type: array
- externalNode:
- type: string
- ports:
- items:
- properties:
- name:
- type: string
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: true
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- type: object
- served: false
- storage: false
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: externalippools.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: ExternalIPPool
- plural: externalippools
- shortNames:
- - eip
- singular: externalippool
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The number of total IPs
- jsonPath: .status.usage.total
- name: Total
- type: integer
- - description: The number of allocated IPs
- jsonPath: .status.usage.used
- name: Used
- type: integer
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- ipRanges:
- items:
- oneOf:
- - required:
- - cidr
- - required:
- - start
- - end
- properties:
- cidr:
- format: cidr
- type: string
- end:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- start:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- type: object
- type: array
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- required:
- - ipRanges
- - nodeSelector
- type: object
- status:
- properties:
- usage:
- properties:
- total:
- type: integer
- used:
- type: integer
- type: object
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: ippools.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: IPPool
- plural: ippools
- shortNames:
- - ipp
- singular: ippool
- scope: Cluster
- versions:
- - name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- ipRanges:
- items:
- oneOf:
- - required:
- - cidr
- - gateway
- - prefixLength
- - required:
- - start
- - end
- - gateway
- - prefixLength
- properties:
- cidr:
- format: cidr
- type: string
- end:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- gateway:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- prefixLength:
- type: integer
- start:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- vlan:
- maximum: 4094
- minimum: 0
- type: integer
- type: object
- type: array
- ipVersion:
- type: integer
- required:
- - ipVersion
- - ipRanges
- type: object
- status:
- properties:
- ipAddresses:
- items:
- properties:
- ipAddress:
- type: string
- owner:
- properties:
- pod:
- properties:
- containerID:
- type: string
- ifName:
- type: string
- name:
- type: string
- namespace:
- type: string
- type: object
- statefulSet:
- properties:
- index:
- type: integer
- name:
- type: string
- namespace:
- type: string
- type: object
- type: object
- phase:
- type: string
- type: object
- type: array
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: networkpolicies.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: NetworkPolicy
- plural: networkpolicies
- shortNames:
- - anp
- singular: networkpolicy
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: The Tier to which this Antrea NetworkPolicy belongs to.
- jsonPath: .spec.tier
- name: Tier
- type: string
- - description: The Priority of this Antrea NetworkPolicy relative to other policies.
- format: float
- jsonPath: .spec.priority
- name: Priority
- type: number
- - description: The total number of Nodes that should realize the NetworkPolicy.
- format: int32
- jsonPath: .status.desiredNodesRealized
- name: Desired Nodes
- type: number
- - description: The number of Nodes that have realized the NetworkPolicy.
- format: int32
- jsonPath: .status.currentNodesRealized
- name: Current Nodes
- type: number
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- appliedTo:
- items:
- properties:
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- egress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- to:
- items:
- properties:
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- fqdn:
- type: string
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- toServices:
- items:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- ingress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- from:
- items:
- properties:
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- priority:
- format: float
- maximum: 10000
- minimum: 1
- type: number
- tier:
- type: string
- required:
- - priority
- type: object
- status:
- properties:
- currentNodesRealized:
- type: integer
- desiredNodesRealized:
- type: integer
- observedGeneration:
- type: integer
- phase:
- type: string
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: tiers.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: Tier
- plural: tiers
- shortNames:
- - tr
- singular: tier
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The Priority of this Tier relative to other Tiers.
- jsonPath: .spec.priority
- name: Priority
- type: integer
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- description:
- type: string
- priority:
- maximum: 255
- minimum: 0
- type: integer
- required:
- - priority
- type: object
- type: object
- served: true
- storage: true
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: traceflows.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: Traceflow
- plural: traceflows
- shortNames:
- - tf
- singular: traceflow
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The phase of the Traceflow.
- jsonPath: .status.phase
- name: Phase
- type: string
- - description: The name of the source Pod.
- jsonPath: .spec.source.pod
- name: Source-Pod
- priority: 10
- type: string
- - description: The name of the destination Pod.
- jsonPath: .spec.destination.pod
- name: Destination-Pod
- priority: 10
- type: string
- - description: The IP address of the destination.
- jsonPath: .spec.destination.ip
- name: Destination-IP
- priority: 10
- type: string
- - description: Trace live traffic.
- jsonPath: .spec.liveTraffic
- name: Live-Traffic
- priority: 10
- type: boolean
- - description: Capture only the dropped packet.
- jsonPath: .spec.droppedOnly
- name: Dropped-Only
- priority: 10
- type: boolean
- - description: Timeout in seconds.
- jsonPath: .spec.timeout
- name: Timeout
- priority: 10
- type: integer
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- destination:
- properties:
- ip:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- namespace:
- type: string
- pod:
- type: string
- service:
- type: string
- type: object
- droppedOnly:
- type: boolean
- liveTraffic:
- type: boolean
- packet:
- properties:
- ipHeader:
- properties:
- flags:
- type: integer
- protocol:
- type: integer
- srcIP:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- ttl:
- type: integer
- type: object
- ipv6Header:
- properties:
- hopLimit:
- type: integer
- nextHeader:
- type: integer
- srcIP:
- format: ipv6
- type: string
- type: object
- transportHeader:
- properties:
- icmp:
- properties:
- id:
- type: integer
- sequence:
- type: integer
- type: object
- tcp:
- properties:
- dstPort:
- type: integer
- flags:
- type: integer
- srcPort:
- type: integer
- type: object
- udp:
- properties:
- dstPort:
- type: integer
- srcPort:
- type: integer
- type: object
- type: object
- type: object
- source:
- properties:
- ip:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- namespace:
- type: string
- pod:
- type: string
- type: object
- timeout:
- type: integer
- type: object
- status:
- properties:
- capturedPacket:
- properties:
- dstIP:
- type: string
- ipHeader:
- properties:
- flags:
- type: integer
- protocol:
- type: integer
- ttl:
- type: integer
- type: object
- ipv6Header:
- properties:
- hopLimit:
- type: integer
- nextHeader:
- type: integer
- type: object
- length:
- type: integer
- srcIP:
- type: string
- transportHeader:
- properties:
- icmp:
- properties:
- id:
- type: integer
- sequence:
- type: integer
- type: object
- tcp:
- properties:
- dstPort:
- type: integer
- flags:
- type: integer
- srcPort:
- type: integer
- type: object
- udp:
- properties:
- dstPort:
- type: integer
- srcPort:
- type: integer
- type: object
- type: object
- type: object
- dataplaneTag:
- type: integer
- phase:
- type: string
- reason:
- type: string
- results:
- items:
- properties:
- node:
- type: string
- observations:
- items:
- properties:
- action:
- type: string
- component:
- type: string
- componentInfo:
- type: string
- dstMAC:
- type: string
- networkPolicy:
- type: string
- pod:
- type: string
- translatedDstIP:
- type: string
- translatedSrcIP:
- type: string
- ttl:
- type: integer
- tunnelDstIP:
- type: string
- type: object
- type: array
- role:
- type: string
- timestamp:
- type: integer
- type: object
- type: array
- startTime:
- type: string
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app: antrea
- name: antctl
- namespace: kube-system
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app: antrea
- name: antrea-agent
- namespace: kube-system
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app: antrea
- name: antrea-controller
- namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- name: aggregate-antrea-clustergroups-edit
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clustergroups
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- name: aggregate-antrea-clustergroups-view
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clustergroups
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- name: aggregate-antrea-policies-edit
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies
- - networkpolicies
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- name: aggregate-antrea-policies-view
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies
- - networkpolicies
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- name: aggregate-traceflows-edit
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- name: aggregate-traceflows-view
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antctl
-rules:
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - networkpolicies
- - appliedtogroups
- - addressgroups
- verbs:
- - get
- - list
-- apiGroups:
- - stats.antrea.io
- resources:
- - networkpolicystats
- - antreaclusternetworkpolicystats
- - antreanetworkpolicystats
- verbs:
- - get
- - list
-- apiGroups:
- - system.antrea.io
- resources:
- - controllerinfos
- - agentinfos
- verbs:
- - get
-- apiGroups:
- - system.antrea.io
- resources:
- - supportbundles
- verbs:
- - get
- - post
-- apiGroups:
- - system.antrea.io
- resources:
- - supportbundles/download
- verbs:
- - get
-- nonResourceURLs:
- - /agentinfo
- - /addressgroups
- - /appliedtogroups
- - /loglevel
- - /networkpolicies
- - /ovsflows
- - /ovstracing
- - /podinterfaces
- - /featuregates
- verbs:
- - get
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antrea-agent
-rules:
-- apiGroups:
- - ""
- resources:
- - nodes
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - nodes/status
- verbs:
- - patch
-- apiGroups:
- - ""
- resources:
- - pods
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - pods/status
- verbs:
- - patch
-- apiGroups:
- - ""
- resources:
- - endpoints
- - services
- - namespaces
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - services/status
- verbs:
- - update
-- apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - antreaagentinfos
- verbs:
- - get
- - create
- - update
- - delete
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - networkpolicies
- - appliedtogroups
- - addressgroups
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - egressgroups
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - nodestatssummaries
- verbs:
- - create
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - networkpolicies/status
- verbs:
- - create
- - get
-- apiGroups:
- - authentication.k8s.io
- resources:
- - tokenreviews
- verbs:
- - create
-- apiGroups:
- - authorization.k8s.io
- resources:
- - subjectaccessreviews
- verbs:
- - create
-- apiGroups:
- - ""
- resourceNames:
- - extension-apiserver-authentication
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ""
- resourceNames:
- - antrea-ca
- resources:
- - configmaps
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- - traceflows/status
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - egresses
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - egresses/status
- verbs:
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalippools
- - ippools
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - ippools/status
- verbs:
- - update
-- apiGroups:
- - k8s.cni.cncf.io
- resources:
- - network-attachment-definitions
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antrea-cluster-identity-reader
-rules:
-- apiGroups:
- - ""
- resourceNames:
- - antrea-cluster-identity
- resources:
- - configmaps
- verbs:
- - get
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antrea-controller
-rules:
-- apiGroups:
- - ""
- resources:
- - pods
- - services
- - namespaces
- - configmaps
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - nodes
- verbs:
- - get
- - watch
- - list
- - patch
-- apiGroups:
- - ""
- resources:
- - services/status
- verbs:
- - update
-- apiGroups:
- - networking.k8s.io
- resources:
- - networkpolicies
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - authentication.k8s.io
- resources:
- - tokenreviews
- verbs:
- - create
-- apiGroups:
- - authorization.k8s.io
- resources:
- - subjectaccessreviews
- verbs:
- - create
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - get
- - update
-- apiGroups:
- - ""
- resourceNames:
- - extension-apiserver-authentication
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ""
- resourceNames:
- - antrea-ca
- - antrea-cluster-identity
- resources:
- - configmaps
- verbs:
- - get
- - update
-- apiGroups:
- - ""
- resources:
- - configmaps
- verbs:
- - create
-- apiGroups:
- - apiregistration.k8s.io
- resourceNames:
- - v1alpha1.stats.antrea.io
- - v1beta1.system.antrea.io
- - v1beta2.controlplane.antrea.io
- resources:
- - apiservices
- verbs:
- - get
- - update
-- apiGroups:
- - apiregistration.k8s.io
- resourceNames:
- - v1beta1.networking.antrea.tanzu.vmware.com
- - v1beta1.controlplane.antrea.tanzu.vmware.com
- - v1alpha1.stats.antrea.tanzu.vmware.com
- - v1beta1.system.antrea.tanzu.vmware.com
- - v1beta2.controlplane.antrea.tanzu.vmware.com
- resources:
- - apiservices
- verbs:
- - delete
-- apiGroups:
- - admissionregistration.k8s.io
- resourceNames:
- - labelsmutator.antrea.io
- - crdmutator.antrea.io
- - crdvalidator.antrea.io
- resources:
- - mutatingwebhookconfigurations
- - validatingwebhookconfigurations
- verbs:
- - get
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - antreacontrollerinfos
- verbs:
- - get
- - create
- - update
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - antreaagentinfos
- verbs:
- - list
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies
- - networkpolicies
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies/status
- - networkpolicies/status
- verbs:
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - tiers
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- - traceflows/status
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalentities
- - clustergroups
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - clustergroups/status
- verbs:
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - egresses
- verbs:
- - get
- - watch
- - list
- - update
- - patch
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalippools
- - ippools
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalippools/status
- - ippools/status
- verbs:
- - update
-- apiGroups:
- - apps
- resources:
- - statefulsets
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: antrea
- name: antctl
- namespace: kube-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: antctl
-subjects:
-- kind: ServiceAccount
- name: antctl
- namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: antrea
- name: antrea-agent
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: antrea-agent
-subjects:
-- kind: ServiceAccount
- name: antrea-agent
- namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: antrea
- name: antrea-controller
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: antrea-controller
-subjects:
-- kind: ServiceAccount
- name: antrea-controller
- namespace: kube-system
----
-apiVersion: v1
data:
antrea-agent.conf: |
# FeatureGates is a map of feature names to bools that enable or disable experimental features.
@@ -2790,19 +87,18 @@ data:
# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
- #ovsBridge: br-int
+ ovsBridge: "br-int"
# Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
# - system
# - netdev
# 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
- # OVS in userspace mode (not fully supported yet). Userspace mode requires the tun device driver to
- # be available.
+ # OVS in userspace mode. Userspace mode requires the tun device driver to be available.
#ovsDatapathType: system
# Name of the interface antrea-agent will create and use for host <--> pod communication.
# Make sure it doesn't conflict with your existing interfaces.
- #hostGateway: antrea-gw0
+ hostGateway: "antrea-gw0"
# Determines how traffic is encapsulated. It has the following options:
# encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network
@@ -2814,14 +110,14 @@ data:
# networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod
# IPAM and connectivity to the primary CNI.
#
- trafficEncapMode: networkPolicyOnly
+ trafficEncapMode: "networkPolicyOnly"
# Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network.
# This option is for the noEncap traffic mode only, and the default value is false. In the noEncap
# mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to
# the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never
# performs SNAT and this option will be ignored; for other modes it must be set to false.
- #noSNAT: false
+ noSNAT: false
# Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode,
# this option will not take effect. Supported values:
@@ -2830,7 +126,7 @@ data:
# - gre
# - stt
# Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters).
- #tunnelType: geneve
+ tunnelType: "geneve"
# Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode.
# It has the following options:
@@ -2840,7 +136,7 @@ data:
# the PSK value must be passed to Antrea Agent through an environment
# variable: ANTREA_IPSEC_PSK.
# - wireGuard: Enable WireGuard for tunnel traffic encryption.
- #trafficEncryptionMode: none
+ trafficEncryptionMode: "none"
# Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected
# to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are
@@ -2849,35 +145,40 @@ data:
# This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only
# IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`,
# `trafficEncapMode` is `noEncap`, and `noSNAT` is true.
- #enableBridgingMode: false
+ enableBridgingMode: false
# Default MTU to use for the host gateway interface and the network interface of each Pod.
# If omitted, antrea-agent will discover the MTU of the Node's primary interface and
# also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
- #defaultMTU: 0
+ defaultMTU: 0
# wireGuard specifies WireGuard related configurations.
wireGuard:
- # The port for WireGuard to receive traffic.
- # port: 51820
+ # The port for WireGuard to receive traffic.
+ port: 51820
egress:
- # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses.
- # exceptCIDRs: []
+ # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses.
+ exceptCIDRs:
+
+ # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
+ # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
+ # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
+ serviceCIDR: ""
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
# --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
# No default value for this field.
- #serviceCIDRv6:
+ serviceCIDRv6: ""
# The port for the antrea-agent APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-agent` container must be set to the same value.
- #apiPort: 10350
+ apiPort: 10350
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
- #enablePrometheusMetrics: true
+ enablePrometheusMetrics: true
# Provide the IPFIX collector address as a string with format :[][:].
# HOST can either be the DNS name or the IP of the Flow Collector. For example,
@@ -2888,50 +189,50 @@ data:
# If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
# "udp" protocols. "tls" is used for securing communication between flow exporter and
# flow aggregator.
- #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
+ flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
# Provide flow poll interval as a duration string. This determines how often the
# flow exporter dumps connections from the conntrack module. Flow poll interval
# should be greater than or equal to 1s (one second).
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
- #flowPollInterval: "5s"
+ flowPollInterval: "5s"
# Provide the active flow export timeout, which is the timeout after which a flow
# record is sent to the collector for active flows. Thus, for flows with a continuous
# stream of packets, a flow record will be exported to the collector once the elapsed
# time since the last export event is equal to the value of this timeout.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
- #activeFlowExportTimeout: "30s"
+ activeFlowExportTimeout: "5s"
# Provide the idle flow export timeout, which is the timeout after which a flow
# record is sent to the collector for idle flows. A flow is considered idle if no
# packet matching this flow has been observed since the last export event.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
- #idleFlowExportTimeout: "15s"
+ idleFlowExportTimeout: "15s"
nodePortLocal:
# Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
# enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
# gate is also enabled (which is the default).
- # enable: false
+ enable: false
# Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
# from that range will be assigned whenever a Pod's container defines a specific port to be exposed
# (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic
# directed to that port will be forwarded to the Pod.
- # portRange: 61000-62000
+ portRange: "61000-62000"
# Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
# Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
- #kubeAPIServerOverride: ""
+ kubeAPIServerOverride: ""
# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
# https://golang.org/pkg/crypto/tls/#pkg-constants
# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
# prefer TLS1.3 Cipher Suites whenever possible.
- #tlsCipherSuites:
+ tlsCipherSuites: ""
# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
- #tlsMinVersion:
+ tlsMinVersion: ""
# The name of the interface on Node which is used for tunneling or routing the traffic across Nodes.
# If there are multiple IP addresses configured on the interface, the first one is used. The IP
@@ -2940,11 +241,11 @@ data:
# 1. transportInterface
# 2. transportInterfaceCIDRs
# 3. The Node IP
- #transportInterface:
+ transportInterface: ""
# The names of the interfaces on Nodes that are used to forward multicast traffic.
# Defaults to transport interface if not set.
- #multicastInterfaces: []
+ multicastInterfaces:
# The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across
# Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The
@@ -2953,7 +254,7 @@ data:
# 1. transportInterface
# 2. transportInterfaceCIDRs
# 3. The Node IP
- #transportInterfaceCIDRs: [,]
+ transportInterfaceCIDRs:
# Option antreaProxy contains AntreaProxy related configuration options.
antreaProxy:
@@ -2962,22 +263,22 @@ data:
# feature to be enabled.
# Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access
# apiserver directly.
- #proxyAll: false
+ proxyAll: false
# A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks.
# (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses.
# Note that the option is only valid when proxyAll is true.
- #nodePortAddresses: []
+ nodePortAddresses:
# An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these
# Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name
# with Namespace (e.g. kube-system/kube-dns)
- #skipServices: []
+ skipServices:
# When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the
# External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional
# capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the
# external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy.
# Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and
# kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
- #proxyLoadBalancerIPs: true
+ proxyLoadBalancerIPs: true
antrea-cni.conflist: |
{
"cniVersion":"0.3.0",
@@ -2988,11 +289,13 @@ data:
"ipam": {
"type": "host-local"
}
- },
+ }
+ ,
{
"type": "portmap",
"capabilities": {"portMappings": true}
- },
+ }
+ ,
{
"type": "bandwidth",
"capabilities": {"bandwidth": true}
@@ -3030,659 +333,3317 @@ data:
# The port for the antrea-controller APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-controller` container must be set to the same value.
- #apiPort: 10349
+ apiPort: 10349
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
- #enablePrometheusMetrics: true
+ enablePrometheusMetrics: true
# Indicates whether to use auto-generated self-signed TLS certificate.
- # If false, A Secret named "antrea-controller-tls" must be provided with the following keys:
+ # If false, a Secret named "antrea-controller-tls" must be provided with the following keys:
# ca.crt:
# tls.crt:
# tls.key:
- # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
- # antrea-controller container.
- #selfSignedCert: true
+ selfSignedCert: true
# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
# https://golang.org/pkg/crypto/tls/#pkg-constants
# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
# prefer TLS1.3 Cipher Suites whenever possible.
- #tlsCipherSuites:
+ tlsCipherSuites: ""
# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
- #tlsMinVersion:
+ tlsMinVersion: ""
nodeIPAM:
- # Enable the integrated Node IPAM controller within the Antrea controller.
- # enableNodeIPAM: false
-
- # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges.
- # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family.
- # Value ignored when enableNodeIPAM is false.
- # clusterCIDRs: []
-
- # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs.
- # Value ignored when enableNodeIPAM is false.
- # serviceCIDR:
- # serviceCIDRv6:
-
- # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false
- # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30.
- # nodeCIDRMaskSizeIPv4: 24
-
- # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
- # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
- # nodeCIDRMaskSizeIPv6: 64
-kind: ConfigMap
+ # Enable the integrated Node IPAM controller within the Antrea controller.
+ enableNodeIPAM: false
+ # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges.
+ # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family.
+ # Value ignored when enableNodeIPAM is false.
+ clusterCIDRs:
+ # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs.
+ # Value ignored when enableNodeIPAM is false.
+ serviceCIDR: ""
+ serviceCIDRv6: ""
+ # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false
+ # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30.
+ nodeCIDRMaskSizeIPv4: 24
+ # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
+ # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
+ nodeCIDRMaskSizeIPv6: 64
+---
+# Source: antrea/templates/crds/antreaagentinfo.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: antreaagentinfos.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ additionalPrinterColumns:
+ - description: Health status of this Agent
+ jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status"
+ name: Healthy
+ type: string
+ - description: Last time the Healthy Condition was updated
+ jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime"
+ name: Last Heartbeat
+ type: date
+ - description: Version of this Agent
+ jsonPath: ".version"
+ name: Version
+ type: string
+ priority: 1
+ - description: Node on which this Agent is running
+ jsonPath: ".nodeRef.name"
+ name: Node
+ type: string
+ priority: 1
+ - description: Number of local Pods managed by this Agent
+ jsonPath: ".localPodNum"
+ name: Num Pods
+ type: integer
+ priority: 2
+ - description: Subnets used by this Agent for Pod IPAM
+ jsonPath: ".nodeSubnets"
+ name: Subnets
+ type: string
+ priority: 2
+ scope: Cluster
+ names:
+ plural: antreaagentinfos
+ singular: antreaagentinfo
+ kind: AntreaAgentInfo
+ shortNames:
+ - aai
+---
+# Source: antrea/templates/crds/antreacontrollerinfo.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: antreacontrollerinfos.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ additionalPrinterColumns:
+ - description: Health status of the Controller
+ jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status"
+ name: Healthy
+ type: string
+ - description: Last time the Healthy Condition was updated
+ jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime"
+ name: Last Heartbeat
+ type: date
+ - description: Version of the Controller
+ jsonPath: ".version"
+ name: Version
+ type: string
+ priority: 1
+ - description: Number of Agents connected to the Controller
+ jsonPath: ".connectedAgentNum"
+ name: Connected Agents
+ type: integer
+ priority: 1
+ - description: Node on which the Controller is running
+ jsonPath: ".nodeRef.name"
+ name: Node
+ type: string
+ priority: 1
+ - description: Number of Network Policies computed by Controller
+ jsonPath: ".networkPolicyControllerInfo.networkPolicyNum"
+ name: Num Network Policies
+ type: integer
+ priority: 2
+ scope: Cluster
+ names:
+ plural: antreacontrollerinfos
+ singular: antreacontrollerinfo
+ kind: AntreaControllerInfo
+ shortNames:
+ - aci
+---
+# Source: antrea/templates/crds/clustergroup.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: clustergroups.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: false
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ type: object
+ properties:
+ childGroups:
+ type: array
+ items:
+ type: string
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ ipBlocks:
+ type: array
+ items:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ serviceReference:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ status:
+ type: object
+ properties:
+ conditions:
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ type: string
+ status:
+ type: string
+ lastTransitionTime:
+ type: string
+ - name: v1alpha3
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ type: object
+ properties:
+ childGroups:
+ type: array
+ items:
+ type: string
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlocks:
+ type: array
+ items:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ serviceReference:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ status:
+ type: object
+ properties:
+ conditions:
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ type: string
+ status:
+ type: string
+ lastTransitionTime:
+ type: string
+ subresources:
+ status: {}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions: ["v1", "v1beta1"]
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: "kube-system"
+ path: "/convert/clustergroup"
+ scope: Cluster
+ names:
+ plural: clustergroups
+ singular: clustergroup
+ kind: ClusterGroup
+ shortNames:
+ - cg
+---
+# Source: antrea/templates/crds/clusternetworkpolicy.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: clusternetworkpolicies.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - name: Tier
+ type: string
+ description: The Tier to which this ClusterNetworkPolicy belongs to.
+ jsonPath: .spec.tier
+ - name: Priority
+ type: number
+ format: float
+ description: The Priority of this ClusterNetworkPolicy relative to other policies.
+ jsonPath: .spec.priority
+ - name: Desired Nodes
+ type: number
+ format: int32
+ description: The total number of Nodes that should realize the NetworkPolicy.
+ jsonPath: .status.desiredNodesRealized
+ - name: Current Nodes
+ type: number
+ format: int32
+ description: The number of Nodes that have realized the NetworkPolicy.
+ jsonPath: .status.currentNodesRealized
+ - name: Age
+ type: date
+ jsonPath: .metadata.creationTimestamp
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ # Ensure that Spec.Priority field is set
+ required:
+ - priority
+ type: object
+ properties:
+ tier:
+ type: string
+ priority:
+ type: number
+ format: float
+ # Ensure that Spec.Priority field is between 1 and 10000
+ minimum: 1.0
+ maximum: 10000.0
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that Spec.AppliedTo does not allow IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ ingress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ from:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaces:
+ type: object
+ properties:
+ match:
+ enum:
+ - Self
+ type: string
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ egress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ to:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaces:
+ type: object
+ properties:
+ match:
+ type: string
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ group:
+ type: string
+ fqdn:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ toServices:
+ type: array
+ items:
+ type: object
+ required:
+ - name
+ - namespace
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ status:
+ type: object
+ properties:
+ phase:
+ type: string
+ observedGeneration:
+ type: integer
+ currentNodesRealized:
+ type: integer
+ desiredNodesRealized:
+ type: integer
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: clusternetworkpolicies
+ singular: clusternetworkpolicy
+ kind: ClusterNetworkPolicy
+ shortNames:
+ - acnp
+---
+# Source: antrea/templates/crds/egress.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: egresses.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ type: object
+ required:
+ - appliedTo
+ anyOf:
+ - required:
+ - egressIP
+ - required:
+ - externalIPPool
+ properties:
+ appliedTo:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ egressIP:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ externalIPPool:
+ type: string
+ status:
+ type: object
+ properties:
+ egressNode:
+ type: string
+ additionalPrinterColumns:
+ - description: Specifies the SNAT IP address for the selected workloads.
+ jsonPath: .spec.egressIP
+ name: EgressIP
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: The Owner Node of egress IP
+ jsonPath: .status.egressNode
+ name: Node
+ type: string
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: egresses
+ singular: egress
+ kind: Egress
+ shortNames:
+ - eg
+---
+# Source: antrea/templates/crds/externalentity.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: externalentities.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ type: object
+ properties:
+ endpoints:
+ type: array
+ items:
+ type: object
+ properties:
+ ip:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ name:
+ type: string
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ name:
+ type: string
+ externalNode:
+ type: string
+ - name: v1alpha1
+ served: false
+ storage: false
+ schema:
+ openAPIV3Schema:
+ type: object
+ scope: Namespaced
+ names:
+ plural: externalentities
+ singular: externalentity
+ kind: ExternalEntity
+ shortNames:
+ - ee
+---
+# Source: antrea/templates/crds/externalippool.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: externalippools.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ type: object
+ required:
+ - ipRanges
+ - nodeSelector
+ properties:
+ ipRanges:
+ type: array
+ items:
+ type: object
+ oneOf:
+ - required:
+ - cidr
+ - required:
+ - start
+ - end
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ start:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ end:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ status:
+ type: object
+ properties:
+ usage:
+ type: object
+ properties:
+ total:
+ type: integer
+ used:
+ type: integer
+ additionalPrinterColumns:
+ - description: The number of total IPs
+ jsonPath: .status.usage.total
+ name: Total
+ type: integer
+ - description: The number of allocated IPs
+ jsonPath: .status.usage.used
+ name: Used
+ type: integer
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: externalippools
+ singular: externalippool
+ kind: ExternalIPPool
+ shortNames:
+ - eip
+---
+# Source: antrea/templates/crds/ippool.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: ippools.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ required:
+ - ipVersion
+ - ipRanges
+ type: object
+ properties:
+ ipVersion:
+ type: integer
+ ipRanges:
+ items:
+ oneOf:
+ - required:
+ - cidr
+ - gateway
+ - prefixLength
+ - required:
+ - start
+ - end
+ - gateway
+ - prefixLength
+ properties:
+ cidr:
+ format: cidr
+ type: string
+ start:
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ type: string
+ end:
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ type: string
+ gateway:
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ type: string
+ prefixLength:
+ type: integer
+ vlan:
+ type: integer
+ minimum: 0
+ maximum: 4094
+ type: object
+ type: array
+ status:
+ properties:
+ ipAddresses:
+ items:
+ properties:
+ ipAddress:
+ type: string
+ owner:
+ properties:
+ pod:
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ containerID:
+ type: string
+ ifName:
+ type: string
+ type: object
+ statefulSet:
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ index:
+ type: integer
+ type: object
+ type: object
+ phase:
+ type: string
+ type: object
+ type: array
+ type: object
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: ippools
+ singular: ippool
+ kind: IPPool
+ shortNames:
+ - ipp
+---
+# Source: antrea/templates/crds/networkpolicy.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: networkpolicies.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - name: Tier
+ type: string
+ description: The Tier to which this Antrea NetworkPolicy belongs to.
+ jsonPath: .spec.tier
+ - name: Priority
+ type: number
+ format: float
+ description: The Priority of this Antrea NetworkPolicy relative to other policies.
+ jsonPath: .spec.priority
+ - name: Desired Nodes
+ type: number
+ format: int32
+ description: The total number of Nodes that should realize the NetworkPolicy.
+ jsonPath: .status.desiredNodesRealized
+ - name: Current Nodes
+ type: number
+ format: int32
+ description: The number of Nodes that have realized the NetworkPolicy.
+ jsonPath: .status.currentNodesRealized
+ - name: Age
+ type: date
+ jsonPath: .metadata.creationTimestamp
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ # Ensure that Spec.Priority field is set
+ required:
+ - priority
+ type: object
+ properties:
+ tier:
+ type: string
+ priority:
+ type: number
+ format: float
+ # Ensure that Spec.Priority field is between 1 and 10000
+ minimum: 1.0
+ maximum: 10000.0
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ingress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ from:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ egress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ to:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ fqdn:
+ type: string
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ toServices:
+ type: array
+ items:
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ status:
+ type: object
+ properties:
+ phase:
+ type: string
+ observedGeneration:
+ type: integer
+ currentNodesRealized:
+ type: integer
+ desiredNodesRealized:
+ type: integer
+ subresources:
+ status: {}
+ scope: Namespaced
+ names:
+ plural: networkpolicies
+ singular: networkpolicy
+ kind: NetworkPolicy
+ shortNames:
+ - anp
+---
+# Source: antrea/templates/crds/tier.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: tiers.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - name: Priority
+ type: integer
+ description: The Priority of this Tier relative to other Tiers.
+ jsonPath: .spec.priority
+ - name: Age
+ type: date
+ jsonPath: .metadata.creationTimestamp
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ required:
+ - priority
+ type: object
+ properties:
+ priority:
+ type: integer
+ minimum: 0
+ maximum: 255
+ description:
+ type: string
+ scope: Cluster
+ names:
+ plural: tiers
+ singular: tier
+ kind: Tier
+ shortNames:
+ - tr
+---
+# Source: antrea/templates/crds/traceflow.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: traceflows.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - jsonPath: .status.phase
+ description: The phase of the Traceflow.
+ name: Phase
+ type: string
+ - jsonPath: .spec.source.pod
+ description: The name of the source Pod.
+ name: Source-Pod
+ type: string
+ priority: 10
+ - jsonPath: .spec.destination.pod
+ description: The name of the destination Pod.
+ name: Destination-Pod
+ type: string
+ priority: 10
+ - jsonPath: .spec.destination.ip
+ description: The IP address of the destination.
+ name: Destination-IP
+ type: string
+ priority: 10
+ - jsonPath: .spec.liveTraffic
+ description: Trace live traffic.
+ name: Live-Traffic
+ type: boolean
+ priority: 10
+ - jsonPath: .spec.droppedOnly
+ description: Capture only the dropped packet.
+ name: Dropped-Only
+ type: boolean
+ priority: 10
+ - jsonPath: .spec.timeout
+ description: Timeout in seconds.
+ name: Timeout
+ type: integer
+ priority: 10
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ type: object
+ properties:
+ source:
+ type: object
+ properties:
+ pod:
+ type: string
+ namespace:
+ type: string
+ ip:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ destination:
+ type: object
+ properties:
+ pod:
+ type: string
+ service:
+ type: string
+ namespace:
+ type: string
+ ip:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ packet:
+ type: object
+ properties:
+ ipHeader:
+ type: object
+ properties:
+ srcIP:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ protocol:
+ type: integer
+ ttl:
+ type: integer
+ flags:
+ type: integer
+ ipv6Header:
+ type: object
+ properties:
+ srcIP:
+ type: string
+ format: ipv6
+ nextHeader:
+ type: integer
+ hopLimit:
+ type: integer
+ transportHeader:
+ type: object
+ properties:
+ icmp:
+ type: object
+ properties:
+ id:
+ type: integer
+ sequence:
+ type: integer
+ udp:
+ type: object
+ properties:
+ srcPort:
+ type: integer
+ dstPort:
+ type: integer
+ tcp:
+ type: object
+ properties:
+ srcPort:
+ type: integer
+ dstPort:
+ type: integer
+ flags:
+ type: integer
+ liveTraffic:
+ type: boolean
+ droppedOnly:
+ type: boolean
+ timeout:
+ type: integer
+ status:
+ type: object
+ properties:
+ reason:
+ type: string
+ dataplaneTag:
+ type: integer
+ phase:
+ type: string
+ startTime:
+ type: string
+ results:
+ type: array
+ items:
+ type: object
+ properties:
+ node:
+ type: string
+ role:
+ type: string
+ timestamp:
+ type: integer
+ observations:
+ type: array
+ items:
+ type: object
+ properties:
+ component:
+ type: string
+ componentInfo:
+ type: string
+ action:
+ type: string
+ pod:
+ type: string
+ dstMAC:
+ type: string
+ networkPolicy:
+ type: string
+ ttl:
+ type: integer
+ translatedSrcIP:
+ type: string
+ translatedDstIP:
+ type: string
+ tunnelDstIP:
+ type: string
+ capturedPacket:
+ properties:
+ srcIP:
+ type: string
+ dstIP:
+ type: string
+ length:
+ type: integer
+ ipHeader:
+ properties:
+ flags:
+ type: integer
+ protocol:
+ type: integer
+ ttl:
+ type: integer
+ type: object
+ ipv6Header:
+ properties:
+ hopLimit:
+ type: integer
+ nextHeader:
+ type: integer
+ type: object
+ transportHeader:
+ properties:
+ tcp:
+ properties:
+ dstPort:
+ type: integer
+ srcPort:
+ type: integer
+ flags:
+ type: integer
+ type: object
+ udp:
+ properties:
+ dstPort:
+ type: integer
+ srcPort:
+ type: integer
+ type: object
+ icmp:
+ properties:
+ id:
+ type: integer
+ sequence:
+ type: integer
+ type: object
+ type: object
+ type: object
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: traceflows
+ singular: traceflow
+ kind: Traceflow
+ shortNames:
+ - tf
+---
+# Source: antrea/templates/agent/clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-agent
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - nodes/status
+ verbs:
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - pods/status
+ verbs:
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - endpoints
+ - services
+ - namespaces
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - services/status
+ verbs:
+ - update
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - antreaagentinfos
+ verbs:
+ - get
+ - create
+ - update
+ - delete
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - networkpolicies
+ - appliedtogroups
+ - addressgroups
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - egressgroups
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - nodestatssummaries
+ verbs:
+ - create
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - networkpolicies/status
+ verbs:
+ - create
+ - get
+ - apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+ - apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+ # This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
+ # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will
+ # have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
+ # See https://github.com/kubernetes/kubernetes/pull/85375
+ # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
+ # the extension-apiserver-authentication role.
+ - apiGroups:
+ - ""
+ resourceNames:
+ - extension-apiserver-authentication
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ resourceNames:
+ - antrea-ca
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - traceflows
+ - traceflows/status
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - egresses
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - egresses/status
+ verbs:
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalippools
+ - ippools
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - ippools/status
+ verbs:
+ - update
+ - apiGroups:
+ - k8s.cni.cncf.io
+ resources:
+ - network-attachment-definitions
+ verbs:
+ - get
+ - list
+ - watch
+---
+# Source: antrea/templates/antctl/clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antctl
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - networkpolicies
+ - appliedtogroups
+ - addressgroups
+ verbs:
+ - get
+ - list
+ - apiGroups:
+ - stats.antrea.io
+ resources:
+ - networkpolicystats
+ - antreaclusternetworkpolicystats
+ - antreanetworkpolicystats
+ verbs:
+ - get
+ - list
+ - apiGroups:
+ - system.antrea.io
+ resources:
+ - controllerinfos
+ - agentinfos
+ verbs:
+ - get
+ - apiGroups:
+ - system.antrea.io
+ resources:
+ - supportbundles
+ verbs:
+ - get
+ - post
+ - apiGroups:
+ - system.antrea.io
+ resources:
+ - supportbundles/download
+ verbs:
+ - get
+ - nonResourceURLs:
+ - /agentinfo
+ - /addressgroups
+ - /appliedtogroups
+ - /loglevel
+ - /networkpolicies
+ - /ovsflows
+ - /ovstracing
+ - /podinterfaces
+ - /featuregates
+ verbs:
+ - get
+---
+# Source: antrea/templates/cluster-identity-reader/clusterrolebinding.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-cluster-identity-reader
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ resourceNames:
+ - antrea-cluster-identity
+ verbs:
+ - get
+---
+# Source: antrea/templates/controller/clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-controller
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - services
+ - namespaces
+ - configmaps
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - watch
+ - list
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - services/status
+ verbs:
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - networkpolicies
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+ - apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - get
+ - update
+ # This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
+ # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-controller) will
+ # have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
+ # See https://github.com/kubernetes/kubernetes/pull/85375
+ # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
+ # the extension-apiserver-authentication role.
+ - apiGroups:
+ - ""
+ resourceNames:
+ - extension-apiserver-authentication
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ resourceNames:
+ - antrea-ca
+ - antrea-cluster-identity
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - apiregistration.k8s.io
+ resources:
+ - apiservices
+ resourceNames:
+ - v1alpha1.stats.antrea.io
+ - v1beta1.system.antrea.io
+ - v1beta2.controlplane.antrea.io
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - apiregistration.k8s.io
+ resources:
+ - apiservices
+ resourceNames:
+ - v1beta1.networking.antrea.tanzu.vmware.com
+ - v1beta1.controlplane.antrea.tanzu.vmware.com
+ - v1alpha1.stats.antrea.tanzu.vmware.com
+ - v1beta1.system.antrea.tanzu.vmware.com
+ - v1beta2.controlplane.antrea.tanzu.vmware.com
+ verbs:
+ - delete
+ - apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - mutatingwebhookconfigurations
+ - validatingwebhookconfigurations
+ resourceNames:
+ # always give permissions for labelsmutator.antrea.io, even when the
+ # feature is disabled, to avoid errors in antrea-controller when updating
+ # the CA cert.
+ - labelsmutator.antrea.io
+ - crdmutator.antrea.io
+ - crdvalidator.antrea.io
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - antreacontrollerinfos
+ verbs:
+ - get
+ - create
+ - update
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - antreaagentinfos
+ verbs:
+ - list
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - clusternetworkpolicies
+ - networkpolicies
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - clusternetworkpolicies/status
+ - networkpolicies/status
+ verbs:
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - tiers
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - traceflows
+ - traceflows/status
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalentities
+ - clustergroups
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - clustergroups/status
+ verbs:
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - egresses
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalippools
+ - ippools
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalippools/status
+ - ippools/status
+ verbs:
+ - update
+ - apiGroups:
+ - apps
+ resources:
+ - statefulsets
+ verbs:
+ - get
+ - list
+ - watch
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
metadata:
+ name: aggregate-antrea-policies-edit
labels:
app: antrea
- name: antrea-config-mkbgmf6ct6
- namespace: kube-system
+ # Add these permissions to the "admin" and "edit" default roles.
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clusternetworkpolicies", "networkpolicies"]
+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
-apiVersion: v1
-kind: Service
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: aggregate-antrea-policies-view
+ labels:
+ app: antrea
+ # Add these permissions to the "view" default role.
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clusternetworkpolicies", "networkpolicies"]
+ verbs: ["get", "list", "watch"]
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: aggregate-traceflows-edit
+ labels:
+ app: antrea
+ # Add these permissions to the "admin" and "edit" default roles.
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["traceflows"]
+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
+ name: aggregate-traceflows-view
+ labels:
+ app: antrea
+ # Add these permissions to the "view" default role.
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["traceflows"]
+ verbs: ["get", "list", "watch"]
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: aggregate-antrea-clustergroups-edit
+ labels:
+ app: antrea
+ # Add these permissions to the "admin" and "edit" default roles.
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clustergroups"]
+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: aggregate-antrea-clustergroups-view
+ labels:
+ app: antrea
+ # Add these permissions to the "view" default role.
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clustergroups"]
+ verbs: ["get", "list", "watch"]
+---
+# Source: antrea/templates/agent/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-agent
+ labels:
+ app: antrea
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: antrea-agent
+subjects:
+ - kind: ServiceAccount
+ name: antrea-agent
+ namespace: kube-system
+---
+# Source: antrea/templates/antctl/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app: antrea
+ name: antctl
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: antctl
+subjects:
+ - kind: ServiceAccount
+ name: antctl
+ namespace: kube-system
+---
+# Source: antrea/templates/controller/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-controller
labels:
app: antrea
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: antrea-controller
+subjects:
+ - kind: ServiceAccount
+ name: antrea-controller
+ namespace: kube-system
+---
+# Source: antrea/templates/controller/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
name: antrea
namespace: kube-system
+ labels:
+ app: antrea
spec:
ports:
- - port: 443
- protocol: TCP
- targetPort: api
+ - port: 443
+ protocol: TCP
+ targetPort: api
selector:
app: antrea
component: antrea-controller
---
+# Source: antrea/templates/agent/daemonset.yaml
apiVersion: apps/v1
-kind: Deployment
+kind: DaemonSet
metadata:
+ name: antrea-agent
+ namespace: kube-system
labels:
app: antrea
- component: antrea-controller
+ component: antrea-agent
+spec:
+ selector:
+ matchLabels:
+ app: antrea
+ component: antrea-agent
+ updateStrategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ annotations:
+ # Starting with v1.21, Kubernetes supports default container annotation.
+ # Using "kubectl logs/exec/attach/cp" doesn't have to specify "-c antrea-agent" when troubleshooting.
+ kubectl.kubernetes.io/default-container: antrea-agent
+ # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
+ # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
+ checksum/config: cb46b22ec258614e4df2cc06aaaba03d2a3ecd008de23288dbdce9cd3cc68647
+ labels:
+ app: antrea
+ component: antrea-agent
+ spec:
+ hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
+ priorityClassName: system-node-critical
+ nodeSelector:
+ kubernetes.io/os: linux
+ tolerations:
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoSchedule
+ operator: Exists
+ - effect: NoExecute
+ operator: Exists
+ serviceAccountName: antrea-agent
+ initContainers:
+ - name: install-cni
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 100m
+ command: ["install_cni_chaining"]
+ securityContext:
+ capabilities:
+ add:
+ # SYS_MODULE is required to load the OVS kernel module.
+ - SYS_MODULE
+ env:
+ # SKIP_CNI_BINARIES takes in values as a comma separated list of
+ # binaries that need to be skipped for installation, e.g. "portmap, bandwidth".
+ - name: SKIP_CNI_BINARIES
+ value: ""
+ volumeMounts:
+ - name: antrea-config
+ mountPath: /etc/antrea/antrea-cni.conflist
+ subPath: antrea-cni.conflist
+ readOnly: true
+ - name: host-cni-conf
+ mountPath: /host/etc/cni/net.d
+ - name: host-cni-bin
+ mountPath: /host/opt/cni/bin
+ # For loading the OVS kernel module.
+ - name: host-lib-modules
+ mountPath: /lib/modules
+ readOnly: true
+ # For changing the default permissions of the run directory.
+ - name: host-var-run-antrea
+ mountPath: /var/run/antrea
+ containers:
+ - name: antrea-agent
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ command: ["antrea-agent"]
+ # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).-
+ args:
+ - "--config=/etc/antrea/antrea-agent.conf"
+ - "--logtostderr=false"
+ - "--log_dir=/var/log/antrea"
+ - "--alsologtostderr"
+ - "--log_file_max_size=100"
+ - "--log_file_max_num=4"
+ env:
+ # Provide pod and node information for clusterinformation CRD.
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ resources:
+ requests:
+ cpu: 200m
+ ports:
+ - containerPort: 10350
+ name: api
+ protocol: TCP
+ livenessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - container_liveness_probe agent
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ failureThreshold: 5
+ readinessProbe:
+ httpGet:
+ host: localhost
+ path: /readyz
+ port: api
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ # In large-scale clusters, it may take up to 40~50 seconds for the antrea-agent to reconnect to the antrea
+ # Service after the antrea-controller restarts. The antrea-agent shouldn't be reported as NotReady in this
+ # scenario, otherwise the DaemonSet controller would restart all agents at once, as opposed to performing a
+ # rolling update. Set failureThreshold to 8 so it can tolerate 70s of disconnection.
+ failureThreshold: 8
+ securityContext:
+ # antrea-agent needs to perform sysctl configuration.
+ privileged: true
+ volumeMounts:
+ - name: antrea-config
+ mountPath: /etc/antrea/antrea-agent.conf
+ subPath: antrea-agent.conf
+ readOnly: true
+ - name: host-var-run-antrea
+ mountPath: /var/run/antrea
+ - name: host-var-run-antrea
+ mountPath: /var/run/openvswitch
+ subPath: openvswitch
+ # host-local IPAM stores allocated IP addresses as files in /var/lib/cni/networks/$NETWORK_NAME.
+ # Mount a sub-directory of host-var-run-antrea to it for persistence of IP allocation.
+ - name: host-var-run-antrea
+ mountPath: /var/lib/cni
+ subPath: cni
+ # We need to mount both the /proc directory and the /var/run/netns directory so that
+ # antrea-agent can open the network namespace path when setting up Pod
+ # networking. Different container runtimes may use /proc or /var/run/netns when invoking
+ # the CNI commands. Docker uses /proc and containerd uses /var/run/netns.
+ - name: host-var-log-antrea
+ mountPath: /var/log/antrea
+ - name: host-proc
+ mountPath: /host/proc
+ readOnly: true
+ - name: host-var-run-netns
+ mountPath: /host/var/run/netns
+ readOnly: true
+ # When a container is created, a mount point for the network namespace is added under
+ # /var/run/netns on the host, which needs to be propagated to the antrea-agent container.
+ mountPropagation: HostToContainer
+ - name: xtables-lock
+ mountPath: /run/xtables.lock
+ - name: antrea-ovs
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 200m
+ command: ["start_ovs"]
+ args:
+ - "--log_file_max_size=100"
+ - "--log_file_max_num=4"
+ securityContext:
+ # capabilities required by OVS daemons
+ capabilities:
+ add:
+ - SYS_NICE
+ - NET_ADMIN
+ - SYS_ADMIN
+ - IPC_LOCK
+ livenessProbe:
+ exec:
+ # docker CRI doesn't honor timeoutSeconds, add "timeout" to the command as a workaround.
+ # https://github.com/kubernetes/kubernetes/issues/51901
+ command:
+ - /bin/sh
+ - -c
+ - timeout 10 container_liveness_probe ovs
+ initialDelaySeconds: 5
+ timeoutSeconds: 10
+ periodSeconds: 10
+ failureThreshold: 5
+ volumeMounts:
+ - name: host-var-run-antrea
+ mountPath: /var/run/openvswitch
+ subPath: openvswitch
+ - name: host-var-log-antrea
+ mountPath: /var/log/openvswitch
+ subPath: openvswitch
+ volumes:
+ - name: antrea-config
+ configMap:
+ name: antrea-config
+ - name: host-cni-conf
+ hostPath:
+ path: /etc/cni/net.d
+ - name: host-cni-bin
+ hostPath:
+ path: /opt/cni/bin
+ - name: host-proc
+ hostPath:
+ path: /proc
+ - name: host-var-run-netns
+ hostPath:
+ path: /var/run/netns
+ - name: host-var-run-antrea
+ hostPath:
+ path: /var/run/antrea
+ # we use subPath to create run subdirectories for different component (e.g. OVS) and
+ # subPath requires the base volume to exist
+ type: DirectoryOrCreate
+ - name: host-var-log-antrea
+ hostPath:
+ path: /var/log/antrea
+ # we use subPath to create logging subdirectories for different component (e.g. OVS)
+ type: DirectoryOrCreate
+ - name: host-lib-modules
+ hostPath:
+ path: /lib/modules
+ - name: xtables-lock
+ hostPath:
+ path: /run/xtables.lock
+ type: FileOrCreate
+---
+# Source: antrea/templates/controller/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
name: antrea-controller
namespace: kube-system
+ labels:
+ app: antrea
+ component: antrea-controller
spec:
- replicas: 1
+ strategy:
+ # Ensure the existing Pod is stopped before the new one is created.
+ type: Recreate
selector:
matchLabels:
app: antrea
component: antrea-controller
- strategy:
- type: Recreate
+ replicas: 1
template:
metadata:
+ annotations:
+ # Automatically restart Pod if the ConfigMap changes
+ # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
+ checksum/config: cb46b22ec258614e4df2cc06aaaba03d2a3ecd008de23288dbdce9cd3cc68647
labels:
app: antrea
component: antrea-controller
spec:
- containers:
- - args:
- - --config
- - /etc/antrea/antrea-controller.conf
- - --logtostderr=false
- - --log_dir=/var/log/antrea
- - --alsologtostderr
- - --log_file_max_size=100
- - --log_file_max_num=4
- - --v=0
- command:
- - antrea-controller
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: SERVICEACCOUNT_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.serviceAccountName
- - name: ANTREA_CONFIG_MAP_NAME
- value: antrea-config-mkbgmf6ct6
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- livenessProbe:
- failureThreshold: 5
- httpGet:
- host: localhost
- path: /livez
- port: api
- scheme: HTTPS
- periodSeconds: 10
- timeoutSeconds: 5
- name: antrea-controller
- ports:
- - containerPort: 10349
- name: api
- protocol: TCP
- readinessProbe:
- failureThreshold: 5
- httpGet:
- host: localhost
- path: /readyz
- port: api
- scheme: HTTPS
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 5
- resources:
- requests:
- cpu: 200m
- volumeMounts:
- - mountPath: /etc/antrea/antrea-controller.conf
- name: antrea-config
- readOnly: true
- subPath: antrea-controller.conf
- - mountPath: /var/run/antrea/antrea-controller-tls
- name: antrea-controller-tls
- - mountPath: /var/log/antrea
- name: host-var-log-antrea
- hostNetwork: true
nodeSelector:
kubernetes.io/os: linux
+ hostNetwork: true
priorityClassName: system-cluster-critical
- serviceAccountName: antrea-controller
tolerations:
- - key: CriticalAddonsOnly
- operator: Exists
- - effect: NoSchedule
- key: node-role.kubernetes.io/master
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/master
+ serviceAccountName: antrea-controller
+ containers:
+ - name: antrea-controller
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 200m
+ command: ["antrea-controller"]
+ # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).
+ args:
+ - "--config=/etc/antrea/antrea-controller.conf"
+ - "--logtostderr=false"
+ - "--log_dir=/var/log/antrea"
+ - "--alsologtostderr"
+ - "--log_file_max_size=100"
+ - "--log_file_max_num=4"
+ env:
+ # Provide pod and node information for clusterinformation CRD.
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ # Provide ServiceAccount name for validation webhook.
+ - name: SERVICEACCOUNT_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: ANTREA_CONFIG_MAP_NAME
+ value: antrea-config
+ ports:
+ - containerPort: 10349
+ name: api
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ host: localhost
+ path: /readyz
+ port: api
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ failureThreshold: 5
+ livenessProbe:
+ httpGet:
+ host: localhost
+ path: /livez
+ port: api
+ scheme: HTTPS
+ timeoutSeconds: 5
+ periodSeconds: 10
+ failureThreshold: 5
+ volumeMounts:
+ - name: antrea-config
+ mountPath: /etc/antrea/antrea-controller.conf
+ subPath: antrea-controller.conf
+ readOnly: true
+ - name: antrea-controller-tls
+ mountPath: /var/run/antrea/antrea-controller-tls
+ - name: host-var-log-antrea
+ mountPath: /var/log/antrea
volumes:
- - configMap:
- name: antrea-config-mkbgmf6ct6
- name: antrea-config
- - name: antrea-controller-tls
- secret:
- defaultMode: 256
- optional: true
- secretName: antrea-controller-tls
- - hostPath:
- path: /var/log/antrea
- type: DirectoryOrCreate
- name: host-var-log-antrea
+ - name: antrea-config
+ configMap:
+ name: antrea-config
+ # Make it optional as we only read it when selfSignedCert=false.
+ - name: antrea-controller-tls
+ secret:
+ secretName: antrea-controller-tls
+ defaultMode: 0400
+ optional: true
+ - name: host-var-log-antrea
+ hostPath:
+ path: /var/log/antrea
+ type: DirectoryOrCreate
---
+# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
+ name: v1beta2.controlplane.antrea.io
labels:
app: antrea
- name: v1alpha1.stats.antrea.io
spec:
- group: stats.antrea.io
+ group: controlplane.antrea.io
groupPriorityMinimum: 100
+ version: v1beta2
+ versionPriority: 100
service:
name: antrea
namespace: kube-system
- version: v1alpha1
- versionPriority: 100
---
+# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
+ name: v1beta1.system.antrea.io
labels:
app: antrea
- name: v1beta1.system.antrea.io
spec:
group: system.antrea.io
groupPriorityMinimum: 100
+ version: v1beta1
+ versionPriority: 100
service:
name: antrea
namespace: kube-system
- version: v1beta1
- versionPriority: 100
---
+# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
+ name: v1alpha1.stats.antrea.io
labels:
app: antrea
- name: v1beta2.controlplane.antrea.io
spec:
- group: controlplane.antrea.io
+ group: stats.antrea.io
groupPriorityMinimum: 100
+ version: v1alpha1
+ versionPriority: 100
service:
name: antrea
namespace: kube-system
- version: v1beta2
- versionPriority: 100
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- labels:
- app: antrea
- component: antrea-agent
- name: antrea-agent
- namespace: kube-system
-spec:
- selector:
- matchLabels:
- app: antrea
- component: antrea-agent
- template:
- metadata:
- annotations:
- kubectl.kubernetes.io/default-container: antrea-agent
- labels:
- app: antrea
- component: antrea-agent
- spec:
- containers:
- - args:
- - --config
- - /etc/antrea/antrea-agent.conf
- - --logtostderr=false
- - --log_dir=/var/log/antrea
- - --alsologtostderr
- - --log_file_max_size=100
- - --log_file_max_num=4
- - --v=0
- command:
- - antrea-agent
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- livenessProbe:
- exec:
- command:
- - /bin/sh
- - -c
- - container_liveness_probe agent
- failureThreshold: 5
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 5
- name: antrea-agent
- ports:
- - containerPort: 10350
- name: api
- protocol: TCP
- readinessProbe:
- failureThreshold: 8
- httpGet:
- host: localhost
- path: /readyz
- port: api
- scheme: HTTPS
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 5
- resources:
- requests:
- cpu: 200m
- securityContext:
- privileged: true
- volumeMounts:
- - mountPath: /etc/antrea/antrea-agent.conf
- name: antrea-config
- readOnly: true
- subPath: antrea-agent.conf
- - mountPath: /var/run/antrea
- name: host-var-run-antrea
- - mountPath: /var/run/openvswitch
- name: host-var-run-antrea
- subPath: openvswitch
- - mountPath: /var/lib/cni
- name: host-var-run-antrea
- subPath: cni
- - mountPath: /var/log/antrea
- name: host-var-log-antrea
- - mountPath: /host/proc
- name: host-proc
- readOnly: true
- - mountPath: /host/var/run/netns
- mountPropagation: HostToContainer
- name: host-var-run-netns
- readOnly: true
- - mountPath: /run/xtables.lock
- name: xtables-lock
- - args:
- - --log_file_max_size=100
- - --log_file_max_num=4
- command:
- - start_ovs
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- livenessProbe:
- exec:
- command:
- - /bin/sh
- - -c
- - timeout 10 container_liveness_probe ovs
- failureThreshold: 5
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 10
- name: antrea-ovs
- resources:
- requests:
- cpu: 200m
- securityContext:
- capabilities:
- add:
- - SYS_NICE
- - NET_ADMIN
- - SYS_ADMIN
- - IPC_LOCK
- volumeMounts:
- - mountPath: /var/run/openvswitch
- name: host-var-run-antrea
- subPath: openvswitch
- - mountPath: /var/log/openvswitch
- name: host-var-log-antrea
- subPath: openvswitch
- dnsPolicy: ClusterFirstWithHostNet
- hostNetwork: true
- initContainers:
- - command:
- - install_cni_chaining
- env:
- - name: SKIP_CNI_BINARIES
- value: ""
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- name: install-cni
- resources:
- requests:
- cpu: 100m
- securityContext:
- capabilities:
- add:
- - SYS_MODULE
- volumeMounts:
- - mountPath: /etc/antrea/antrea-cni.conflist
- name: antrea-config
- readOnly: true
- subPath: antrea-cni.conflist
- - mountPath: /host/etc/cni/net.d
- name: host-cni-conf
- - mountPath: /host/opt/cni/bin
- name: host-cni-bin
- - mountPath: /lib/modules
- name: host-lib-modules
- readOnly: true
- - mountPath: /var/run/antrea
- name: host-var-run-antrea
- nodeSelector:
- kubernetes.io/os: linux
- priorityClassName: system-node-critical
- serviceAccountName: antrea-agent
- tolerations:
- - key: CriticalAddonsOnly
- operator: Exists
- - effect: NoSchedule
- operator: Exists
- - effect: NoExecute
- operator: Exists
- volumes:
- - configMap:
- name: antrea-config-mkbgmf6ct6
- name: antrea-config
- - hostPath:
- path: /etc/cni/net.d
- name: host-cni-conf
- - hostPath:
- path: /opt/cni/bin
- name: host-cni-bin
- - hostPath:
- path: /proc
- name: host-proc
- - hostPath:
- path: /var/run/netns
- name: host-var-run-netns
- - hostPath:
- path: /var/run/antrea
- type: DirectoryOrCreate
- name: host-var-run-antrea
- - hostPath:
- path: /var/log/antrea
- type: DirectoryOrCreate
- name: host-var-log-antrea
- - hostPath:
- path: /lib/modules
- name: host-lib-modules
- - hostPath:
- path: /run/xtables.lock
- type: FileOrCreate
- name: xtables-lock
- updateStrategy:
- type: RollingUpdate
---
+# Source: antrea/templates/webhooks/mutating/crdmutator.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
+ name: "crdmutator.antrea.io"
labels:
app: antrea
- name: crdmutator.antrea.io
webhooks:
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /mutate/acnp
- name: acnpmutator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - clusternetworkpolicies
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /mutate/anp
- name: anpmutator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - networkpolicies
- scope: Namespaced
- sideEffects: None
- timeoutSeconds: 5
+ - name: "acnpmutator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/mutate/acnp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["clusternetworkpolicies"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "anpmutator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/mutate/anp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["networkpolicies"]
+ scope: "Namespaced"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
---
+# Source: antrea/templates/webhooks/validating/crdvalidator.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
+ name: "crdvalidator.antrea.io"
labels:
app: antrea
- name: crdvalidator.antrea.io
webhooks:
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/tier
- name: tiervalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- - DELETE
- resources:
- - tiers
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/acnp
- name: acnpvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - clusternetworkpolicies
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/anp
- name: anpvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - networkpolicies
- scope: Namespaced
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/clustergroup
- name: clustergroupvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha3
- - v1alpha2
- operations:
- - CREATE
- - UPDATE
- resources:
- - clustergroups
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/externalippool
- name: externalippoolvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha2
- operations:
- - UPDATE
- resources:
- - externalippools
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/egress
- name: egressvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha2
- operations:
- - CREATE
- - UPDATE
- resources:
- - egresses
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/ippool
- name: ippoolvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha2
- operations:
- - CREATE
- - UPDATE
- - DELETE
- resources:
- - ippools
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
+ - name: "tiervalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/tier"
+ rules:
+ - operations: ["CREATE", "UPDATE", "DELETE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["tiers"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "acnpvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/acnp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["clusternetworkpolicies"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "anpvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/anp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["networkpolicies"]
+ scope: "Namespaced"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "clustergroupvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/clustergroup"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha3", "v1alpha2"]
+ resources: ["clustergroups"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "externalippoolvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/externalippool"
+ rules:
+ - operations: ["UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha2"]
+ resources: ["externalippools"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "egressvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/egress"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha2"]
+ resources: ["egresses"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "ippoolvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/ippool"
+ rules:
+ - operations: ["CREATE", "UPDATE", "DELETE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha2"]
+ resources: ["ippools"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
index c9c53a68803..17247b1db0a 100644
--- a/build/yamls/antrea-eks.yml
+++ b/build/yamls/antrea-eks.yml
@@ -1,2742 +1,39 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+---
+# Source: antrea/templates/agent/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
metadata:
+ name: antrea-agent
+ namespace: kube-system
labels:
app: antrea
- name: antreaagentinfos.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: AntreaAgentInfo
- plural: antreaagentinfos
- shortNames:
- - aai
- singular: antreaagentinfo
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Health status of this Agent
- jsonPath: .agentConditions[?(@.type=='AgentHealthy')].status
- name: Healthy
- type: string
- - description: Last time the Healthy Condition was updated
- jsonPath: .agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime
- name: Last Heartbeat
- type: date
- - description: Version of this Agent
- jsonPath: .version
- name: Version
- priority: 1
- type: string
- - description: Node on which this Agent is running
- jsonPath: .nodeRef.name
- name: Node
- priority: 1
- type: string
- - description: Number of local Pods managed by this Agent
- jsonPath: .localPodNum
- name: Num Pods
- priority: 2
- type: integer
- - description: Subnets used by this Agent for Pod IPAM
- jsonPath: .nodeSubnets
- name: Subnets
- priority: 2
- type: string
- name: v1beta1
- schema:
- openAPIV3Schema:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- served: true
- storage: true
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+# Source: antrea/templates/antctl/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
metadata:
+ name: antctl
+ namespace: kube-system
labels:
app: antrea
- name: antreacontrollerinfos.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: AntreaControllerInfo
- plural: antreacontrollerinfos
- shortNames:
- - aci
- singular: antreacontrollerinfo
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Health status of the Controller
- jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].status
- name: Healthy
- type: string
- - description: Last time the Healthy Condition was updated
- jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime
- name: Last Heartbeat
- type: date
- - description: Version of the Controller
- jsonPath: .version
- name: Version
- priority: 1
- type: string
- - description: Number of Agents connected to the Controller
- jsonPath: .connectedAgentNum
- name: Connected Agents
- priority: 1
- type: integer
- - description: Node on which the Controller is running
- jsonPath: .nodeRef.name
- name: Node
- priority: 1
- type: string
- - description: Number of Network Policies computed by Controller
- jsonPath: .networkPolicyControllerInfo.networkPolicyNum
- name: Num Network Policies
- priority: 2
- type: integer
- name: v1beta1
- schema:
- openAPIV3Schema:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- served: true
- storage: true
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+# Source: antrea/templates/controller/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
metadata:
+ name: antrea-controller
+ namespace: kube-system
labels:
app: antrea
- name: clustergroups.crd.antrea.io
-spec:
- conversion:
- strategy: Webhook
- webhook:
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /convert/clustergroup
- conversionReviewVersions:
- - v1
- - v1beta1
- group: crd.antrea.io
- names:
- kind: ClusterGroup
- plural: clustergroups
- shortNames:
- - cg
- singular: clustergroup
- scope: Cluster
- versions:
- - name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- childGroups:
- items:
- type: string
- type: array
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- ipBlocks:
- items:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- type: array
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceReference:
- properties:
- name:
- type: string
- namespace:
- type: string
- type: object
- type: object
- status:
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- type: string
- status:
- type: string
- type:
- type: string
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: false
- - name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- childGroups:
- items:
- type: string
- type: array
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- ipBlocks:
- items:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- type: array
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceReference:
- properties:
- name:
- type: string
- namespace:
- type: string
- type: object
- type: object
- status:
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- type: string
- status:
- type: string
- type:
- type: string
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+# Source: antrea/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
metadata:
+ name: antrea-config
+ namespace: kube-system
labels:
app: antrea
- name: clusternetworkpolicies.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: ClusterNetworkPolicy
- plural: clusternetworkpolicies
- shortNames:
- - acnp
- singular: clusternetworkpolicy
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The Tier to which this ClusterNetworkPolicy belongs to.
- jsonPath: .spec.tier
- name: Tier
- type: string
- - description: The Priority of this ClusterNetworkPolicy relative to other policies.
- format: float
- jsonPath: .spec.priority
- name: Priority
- type: number
- - description: The total number of Nodes that should realize the NetworkPolicy.
- format: int32
- jsonPath: .status.desiredNodesRealized
- name: Desired Nodes
- type: number
- - description: The number of Nodes that have realized the NetworkPolicy.
- format: int32
- jsonPath: .status.currentNodesRealized
- name: Current Nodes
- type: number
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- appliedTo:
- items:
- properties:
- group:
- type: string
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- egress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- group:
- type: string
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- to:
- items:
- properties:
- fqdn:
- type: string
- group:
- type: string
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- namespaces:
- properties:
- match:
- type: string
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- toServices:
- items:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- ingress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- group:
- type: string
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- from:
- items:
- properties:
- group:
- type: string
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- namespaces:
- properties:
- match:
- enum:
- - Self
- type: string
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- priority:
- format: float
- maximum: 10000
- minimum: 1
- type: number
- tier:
- type: string
- required:
- - priority
- type: object
- status:
- properties:
- currentNodesRealized:
- type: integer
- desiredNodesRealized:
- type: integer
- observedGeneration:
- type: integer
- phase:
- type: string
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: egresses.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: Egress
- plural: egresses
- shortNames:
- - eg
- singular: egress
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Specifies the SNAT IP address for the selected workloads.
- jsonPath: .spec.egressIP
- name: EgressIP
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- - description: The Owner Node of egress IP
- jsonPath: .status.egressNode
- name: Node
- type: string
- name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- anyOf:
- - required:
- - egressIP
- - required:
- - externalIPPool
- properties:
- appliedTo:
- properties:
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- egressIP:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- externalIPPool:
- type: string
- required:
- - appliedTo
- type: object
- status:
- properties:
- egressNode:
- type: string
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: externalentities.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: ExternalEntity
- plural: externalentities
- shortNames:
- - ee
- singular: externalentity
- scope: Namespaced
- versions:
- - name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- endpoints:
- items:
- properties:
- ip:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- name:
- type: string
- type: object
- type: array
- externalNode:
- type: string
- ports:
- items:
- properties:
- name:
- type: string
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: true
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- type: object
- served: false
- storage: false
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: externalippools.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: ExternalIPPool
- plural: externalippools
- shortNames:
- - eip
- singular: externalippool
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The number of total IPs
- jsonPath: .status.usage.total
- name: Total
- type: integer
- - description: The number of allocated IPs
- jsonPath: .status.usage.used
- name: Used
- type: integer
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- ipRanges:
- items:
- oneOf:
- - required:
- - cidr
- - required:
- - start
- - end
- properties:
- cidr:
- format: cidr
- type: string
- end:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- start:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- type: object
- type: array
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- required:
- - ipRanges
- - nodeSelector
- type: object
- status:
- properties:
- usage:
- properties:
- total:
- type: integer
- used:
- type: integer
- type: object
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: ippools.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: IPPool
- plural: ippools
- shortNames:
- - ipp
- singular: ippool
- scope: Cluster
- versions:
- - name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- ipRanges:
- items:
- oneOf:
- - required:
- - cidr
- - gateway
- - prefixLength
- - required:
- - start
- - end
- - gateway
- - prefixLength
- properties:
- cidr:
- format: cidr
- type: string
- end:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- gateway:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- prefixLength:
- type: integer
- start:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- vlan:
- maximum: 4094
- minimum: 0
- type: integer
- type: object
- type: array
- ipVersion:
- type: integer
- required:
- - ipVersion
- - ipRanges
- type: object
- status:
- properties:
- ipAddresses:
- items:
- properties:
- ipAddress:
- type: string
- owner:
- properties:
- pod:
- properties:
- containerID:
- type: string
- ifName:
- type: string
- name:
- type: string
- namespace:
- type: string
- type: object
- statefulSet:
- properties:
- index:
- type: integer
- name:
- type: string
- namespace:
- type: string
- type: object
- type: object
- phase:
- type: string
- type: object
- type: array
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: networkpolicies.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: NetworkPolicy
- plural: networkpolicies
- shortNames:
- - anp
- singular: networkpolicy
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: The Tier to which this Antrea NetworkPolicy belongs to.
- jsonPath: .spec.tier
- name: Tier
- type: string
- - description: The Priority of this Antrea NetworkPolicy relative to other policies.
- format: float
- jsonPath: .spec.priority
- name: Priority
- type: number
- - description: The total number of Nodes that should realize the NetworkPolicy.
- format: int32
- jsonPath: .status.desiredNodesRealized
- name: Desired Nodes
- type: number
- - description: The number of Nodes that have realized the NetworkPolicy.
- format: int32
- jsonPath: .status.currentNodesRealized
- name: Current Nodes
- type: number
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- appliedTo:
- items:
- properties:
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- egress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- to:
- items:
- properties:
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- fqdn:
- type: string
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- toServices:
- items:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- ingress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- from:
- items:
- properties:
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- priority:
- format: float
- maximum: 10000
- minimum: 1
- type: number
- tier:
- type: string
- required:
- - priority
- type: object
- status:
- properties:
- currentNodesRealized:
- type: integer
- desiredNodesRealized:
- type: integer
- observedGeneration:
- type: integer
- phase:
- type: string
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: tiers.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: Tier
- plural: tiers
- shortNames:
- - tr
- singular: tier
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The Priority of this Tier relative to other Tiers.
- jsonPath: .spec.priority
- name: Priority
- type: integer
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- description:
- type: string
- priority:
- maximum: 255
- minimum: 0
- type: integer
- required:
- - priority
- type: object
- type: object
- served: true
- storage: true
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: traceflows.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: Traceflow
- plural: traceflows
- shortNames:
- - tf
- singular: traceflow
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The phase of the Traceflow.
- jsonPath: .status.phase
- name: Phase
- type: string
- - description: The name of the source Pod.
- jsonPath: .spec.source.pod
- name: Source-Pod
- priority: 10
- type: string
- - description: The name of the destination Pod.
- jsonPath: .spec.destination.pod
- name: Destination-Pod
- priority: 10
- type: string
- - description: The IP address of the destination.
- jsonPath: .spec.destination.ip
- name: Destination-IP
- priority: 10
- type: string
- - description: Trace live traffic.
- jsonPath: .spec.liveTraffic
- name: Live-Traffic
- priority: 10
- type: boolean
- - description: Capture only the dropped packet.
- jsonPath: .spec.droppedOnly
- name: Dropped-Only
- priority: 10
- type: boolean
- - description: Timeout in seconds.
- jsonPath: .spec.timeout
- name: Timeout
- priority: 10
- type: integer
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- destination:
- properties:
- ip:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- namespace:
- type: string
- pod:
- type: string
- service:
- type: string
- type: object
- droppedOnly:
- type: boolean
- liveTraffic:
- type: boolean
- packet:
- properties:
- ipHeader:
- properties:
- flags:
- type: integer
- protocol:
- type: integer
- srcIP:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- ttl:
- type: integer
- type: object
- ipv6Header:
- properties:
- hopLimit:
- type: integer
- nextHeader:
- type: integer
- srcIP:
- format: ipv6
- type: string
- type: object
- transportHeader:
- properties:
- icmp:
- properties:
- id:
- type: integer
- sequence:
- type: integer
- type: object
- tcp:
- properties:
- dstPort:
- type: integer
- flags:
- type: integer
- srcPort:
- type: integer
- type: object
- udp:
- properties:
- dstPort:
- type: integer
- srcPort:
- type: integer
- type: object
- type: object
- type: object
- source:
- properties:
- ip:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- namespace:
- type: string
- pod:
- type: string
- type: object
- timeout:
- type: integer
- type: object
- status:
- properties:
- capturedPacket:
- properties:
- dstIP:
- type: string
- ipHeader:
- properties:
- flags:
- type: integer
- protocol:
- type: integer
- ttl:
- type: integer
- type: object
- ipv6Header:
- properties:
- hopLimit:
- type: integer
- nextHeader:
- type: integer
- type: object
- length:
- type: integer
- srcIP:
- type: string
- transportHeader:
- properties:
- icmp:
- properties:
- id:
- type: integer
- sequence:
- type: integer
- type: object
- tcp:
- properties:
- dstPort:
- type: integer
- flags:
- type: integer
- srcPort:
- type: integer
- type: object
- udp:
- properties:
- dstPort:
- type: integer
- srcPort:
- type: integer
- type: object
- type: object
- type: object
- dataplaneTag:
- type: integer
- phase:
- type: string
- reason:
- type: string
- results:
- items:
- properties:
- node:
- type: string
- observations:
- items:
- properties:
- action:
- type: string
- component:
- type: string
- componentInfo:
- type: string
- dstMAC:
- type: string
- networkPolicy:
- type: string
- pod:
- type: string
- translatedDstIP:
- type: string
- translatedSrcIP:
- type: string
- ttl:
- type: integer
- tunnelDstIP:
- type: string
- type: object
- type: array
- role:
- type: string
- timestamp:
- type: integer
- type: object
- type: array
- startTime:
- type: string
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app: antrea
- name: antctl
- namespace: kube-system
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app: antrea
- name: antrea-agent
- namespace: kube-system
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app: antrea
- name: antrea-controller
- namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- name: aggregate-antrea-clustergroups-edit
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clustergroups
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- name: aggregate-antrea-clustergroups-view
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clustergroups
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- name: aggregate-antrea-policies-edit
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies
- - networkpolicies
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- name: aggregate-antrea-policies-view
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies
- - networkpolicies
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- name: aggregate-traceflows-edit
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- name: aggregate-traceflows-view
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antctl
-rules:
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - networkpolicies
- - appliedtogroups
- - addressgroups
- verbs:
- - get
- - list
-- apiGroups:
- - stats.antrea.io
- resources:
- - networkpolicystats
- - antreaclusternetworkpolicystats
- - antreanetworkpolicystats
- verbs:
- - get
- - list
-- apiGroups:
- - system.antrea.io
- resources:
- - controllerinfos
- - agentinfos
- verbs:
- - get
-- apiGroups:
- - system.antrea.io
- resources:
- - supportbundles
- verbs:
- - get
- - post
-- apiGroups:
- - system.antrea.io
- resources:
- - supportbundles/download
- verbs:
- - get
-- nonResourceURLs:
- - /agentinfo
- - /addressgroups
- - /appliedtogroups
- - /loglevel
- - /networkpolicies
- - /ovsflows
- - /ovstracing
- - /podinterfaces
- - /featuregates
- verbs:
- - get
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antrea-agent
-rules:
-- apiGroups:
- - ""
- resources:
- - nodes
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - nodes/status
- verbs:
- - patch
-- apiGroups:
- - ""
- resources:
- - pods
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - pods/status
- verbs:
- - patch
-- apiGroups:
- - ""
- resources:
- - endpoints
- - services
- - namespaces
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - services/status
- verbs:
- - update
-- apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - antreaagentinfos
- verbs:
- - get
- - create
- - update
- - delete
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - networkpolicies
- - appliedtogroups
- - addressgroups
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - egressgroups
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - nodestatssummaries
- verbs:
- - create
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - networkpolicies/status
- verbs:
- - create
- - get
-- apiGroups:
- - authentication.k8s.io
- resources:
- - tokenreviews
- verbs:
- - create
-- apiGroups:
- - authorization.k8s.io
- resources:
- - subjectaccessreviews
- verbs:
- - create
-- apiGroups:
- - ""
- resourceNames:
- - extension-apiserver-authentication
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ""
- resourceNames:
- - antrea-ca
- resources:
- - configmaps
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- - traceflows/status
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - egresses
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - egresses/status
- verbs:
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalippools
- - ippools
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - ippools/status
- verbs:
- - update
-- apiGroups:
- - k8s.cni.cncf.io
- resources:
- - network-attachment-definitions
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antrea-cluster-identity-reader
-rules:
-- apiGroups:
- - ""
- resourceNames:
- - antrea-cluster-identity
- resources:
- - configmaps
- verbs:
- - get
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antrea-controller
-rules:
-- apiGroups:
- - ""
- resources:
- - pods
- - services
- - namespaces
- - configmaps
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - nodes
- verbs:
- - get
- - watch
- - list
- - patch
-- apiGroups:
- - ""
- resources:
- - services/status
- verbs:
- - update
-- apiGroups:
- - networking.k8s.io
- resources:
- - networkpolicies
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - authentication.k8s.io
- resources:
- - tokenreviews
- verbs:
- - create
-- apiGroups:
- - authorization.k8s.io
- resources:
- - subjectaccessreviews
- verbs:
- - create
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - get
- - update
-- apiGroups:
- - ""
- resourceNames:
- - extension-apiserver-authentication
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ""
- resourceNames:
- - antrea-ca
- - antrea-cluster-identity
- resources:
- - configmaps
- verbs:
- - get
- - update
-- apiGroups:
- - ""
- resources:
- - configmaps
- verbs:
- - create
-- apiGroups:
- - apiregistration.k8s.io
- resourceNames:
- - v1alpha1.stats.antrea.io
- - v1beta1.system.antrea.io
- - v1beta2.controlplane.antrea.io
- resources:
- - apiservices
- verbs:
- - get
- - update
-- apiGroups:
- - apiregistration.k8s.io
- resourceNames:
- - v1beta1.networking.antrea.tanzu.vmware.com
- - v1beta1.controlplane.antrea.tanzu.vmware.com
- - v1alpha1.stats.antrea.tanzu.vmware.com
- - v1beta1.system.antrea.tanzu.vmware.com
- - v1beta2.controlplane.antrea.tanzu.vmware.com
- resources:
- - apiservices
- verbs:
- - delete
-- apiGroups:
- - admissionregistration.k8s.io
- resourceNames:
- - labelsmutator.antrea.io
- - crdmutator.antrea.io
- - crdvalidator.antrea.io
- resources:
- - mutatingwebhookconfigurations
- - validatingwebhookconfigurations
- verbs:
- - get
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - antreacontrollerinfos
- verbs:
- - get
- - create
- - update
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - antreaagentinfos
- verbs:
- - list
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies
- - networkpolicies
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies/status
- - networkpolicies/status
- verbs:
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - tiers
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- - traceflows/status
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalentities
- - clustergroups
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - clustergroups/status
- verbs:
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - egresses
- verbs:
- - get
- - watch
- - list
- - update
- - patch
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalippools
- - ippools
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalippools/status
- - ippools/status
- verbs:
- - update
-- apiGroups:
- - apps
- resources:
- - statefulsets
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: antrea
- name: antctl
- namespace: kube-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: antctl
-subjects:
-- kind: ServiceAccount
- name: antctl
- namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: antrea
- name: antrea-agent
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: antrea-agent
-subjects:
-- kind: ServiceAccount
- name: antrea-agent
- namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: antrea
- name: antrea-controller
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: antrea-controller
-subjects:
-- kind: ServiceAccount
- name: antrea-controller
- namespace: kube-system
----
-apiVersion: v1
data:
antrea-agent.conf: |
# FeatureGates is a map of feature names to bools that enable or disable experimental features.
@@ -2790,19 +87,18 @@ data:
# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
- #ovsBridge: br-int
+ ovsBridge: "br-int"
# Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
# - system
# - netdev
# 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
- # OVS in userspace mode (not fully supported yet). Userspace mode requires the tun device driver to
- # be available.
+ # OVS in userspace mode. Userspace mode requires the tun device driver to be available.
#ovsDatapathType: system
# Name of the interface antrea-agent will create and use for host <--> pod communication.
# Make sure it doesn't conflict with your existing interfaces.
- #hostGateway: antrea-gw0
+ hostGateway: "antrea-gw0"
# Determines how traffic is encapsulated. It has the following options:
# encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network
@@ -2814,14 +110,14 @@ data:
# networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod
# IPAM and connectivity to the primary CNI.
#
- trafficEncapMode: networkPolicyOnly
+ trafficEncapMode: "networkPolicyOnly"
# Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network.
# This option is for the noEncap traffic mode only, and the default value is false. In the noEncap
# mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to
# the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never
# performs SNAT and this option will be ignored; for other modes it must be set to false.
- #noSNAT: false
+ noSNAT: false
# Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode,
# this option will not take effect. Supported values:
@@ -2830,7 +126,7 @@ data:
# - gre
# - stt
# Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters).
- #tunnelType: geneve
+ tunnelType: "geneve"
# Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode.
# It has the following options:
@@ -2840,7 +136,7 @@ data:
# the PSK value must be passed to Antrea Agent through an environment
# variable: ANTREA_IPSEC_PSK.
# - wireGuard: Enable WireGuard for tunnel traffic encryption.
- #trafficEncryptionMode: none
+ trafficEncryptionMode: "none"
# Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected
# to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are
@@ -2849,35 +145,40 @@ data:
# This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only
# IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`,
# `trafficEncapMode` is `noEncap`, and `noSNAT` is true.
- #enableBridgingMode: false
+ enableBridgingMode: false
# Default MTU to use for the host gateway interface and the network interface of each Pod.
# If omitted, antrea-agent will discover the MTU of the Node's primary interface and
# also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
- #defaultMTU: 0
+ defaultMTU: 0
# wireGuard specifies WireGuard related configurations.
wireGuard:
- # The port for WireGuard to receive traffic.
- # port: 51820
+ # The port for WireGuard to receive traffic.
+ port: 51820
egress:
- # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses.
- # exceptCIDRs: []
+ # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses.
+ exceptCIDRs:
+
+ # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
+ # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
+ # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
+ serviceCIDR: ""
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
# --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
# No default value for this field.
- #serviceCIDRv6:
+ serviceCIDRv6: ""
# The port for the antrea-agent APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-agent` container must be set to the same value.
- #apiPort: 10350
+ apiPort: 10350
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
- #enablePrometheusMetrics: true
+ enablePrometheusMetrics: true
# Provide the IPFIX collector address as a string with format :[][:].
# HOST can either be the DNS name or the IP of the Flow Collector. For example,
@@ -2888,50 +189,50 @@ data:
# If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
# "udp" protocols. "tls" is used for securing communication between flow exporter and
# flow aggregator.
- #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
+ flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
# Provide flow poll interval as a duration string. This determines how often the
# flow exporter dumps connections from the conntrack module. Flow poll interval
# should be greater than or equal to 1s (one second).
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
- #flowPollInterval: "5s"
+ flowPollInterval: "5s"
# Provide the active flow export timeout, which is the timeout after which a flow
# record is sent to the collector for active flows. Thus, for flows with a continuous
# stream of packets, a flow record will be exported to the collector once the elapsed
# time since the last export event is equal to the value of this timeout.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
- #activeFlowExportTimeout: "30s"
+ activeFlowExportTimeout: "5s"
# Provide the idle flow export timeout, which is the timeout after which a flow
# record is sent to the collector for idle flows. A flow is considered idle if no
# packet matching this flow has been observed since the last export event.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
- #idleFlowExportTimeout: "15s"
+ idleFlowExportTimeout: "15s"
nodePortLocal:
# Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
# enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
# gate is also enabled (which is the default).
- # enable: false
+ enable: false
# Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
# from that range will be assigned whenever a Pod's container defines a specific port to be exposed
# (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic
# directed to that port will be forwarded to the Pod.
- # portRange: 61000-62000
+ portRange: "61000-62000"
# Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
# Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
- #kubeAPIServerOverride: ""
+ kubeAPIServerOverride: ""
# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
# https://golang.org/pkg/crypto/tls/#pkg-constants
# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
# prefer TLS1.3 Cipher Suites whenever possible.
- #tlsCipherSuites:
+ tlsCipherSuites: ""
# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
- #tlsMinVersion:
+ tlsMinVersion: ""
# The name of the interface on Node which is used for tunneling or routing the traffic across Nodes.
# If there are multiple IP addresses configured on the interface, the first one is used. The IP
@@ -2940,11 +241,11 @@ data:
# 1. transportInterface
# 2. transportInterfaceCIDRs
# 3. The Node IP
- #transportInterface:
+ transportInterface: ""
# The names of the interfaces on Nodes that are used to forward multicast traffic.
# Defaults to transport interface if not set.
- #multicastInterfaces: []
+ multicastInterfaces:
# The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across
# Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The
@@ -2953,7 +254,7 @@ data:
# 1. transportInterface
# 2. transportInterfaceCIDRs
# 3. The Node IP
- #transportInterfaceCIDRs: [,]
+ transportInterfaceCIDRs:
# Option antreaProxy contains AntreaProxy related configuration options.
antreaProxy:
@@ -2962,22 +263,22 @@ data:
# feature to be enabled.
# Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access
# apiserver directly.
- #proxyAll: false
+ proxyAll: false
# A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks.
# (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses.
# Note that the option is only valid when proxyAll is true.
- #nodePortAddresses: []
+ nodePortAddresses:
# An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these
# Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name
# with Namespace (e.g. kube-system/kube-dns)
- #skipServices: []
+ skipServices:
# When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the
# External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional
# capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the
# external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy.
# Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and
# kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
- #proxyLoadBalancerIPs: true
+ proxyLoadBalancerIPs: true
antrea-cni.conflist: |
{
"cniVersion":"0.3.0",
@@ -2988,11 +289,13 @@ data:
"ipam": {
"type": "host-local"
}
- },
+ }
+ ,
{
"type": "portmap",
"capabilities": {"portMappings": true}
- },
+ }
+ ,
{
"type": "bandwidth",
"capabilities": {"bandwidth": true}
@@ -3030,661 +333,3319 @@ data:
# The port for the antrea-controller APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-controller` container must be set to the same value.
- #apiPort: 10349
+ apiPort: 10349
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
- #enablePrometheusMetrics: true
+ enablePrometheusMetrics: true
# Indicates whether to use auto-generated self-signed TLS certificate.
- # If false, A Secret named "antrea-controller-tls" must be provided with the following keys:
+ # If false, a Secret named "antrea-controller-tls" must be provided with the following keys:
# ca.crt:
# tls.crt:
# tls.key:
- # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
- # antrea-controller container.
- #selfSignedCert: true
+ selfSignedCert: true
# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
# https://golang.org/pkg/crypto/tls/#pkg-constants
# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
# prefer TLS1.3 Cipher Suites whenever possible.
- #tlsCipherSuites:
+ tlsCipherSuites: ""
# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
- #tlsMinVersion:
+ tlsMinVersion: ""
nodeIPAM:
- # Enable the integrated Node IPAM controller within the Antrea controller.
- # enableNodeIPAM: false
-
- # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges.
- # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family.
- # Value ignored when enableNodeIPAM is false.
- # clusterCIDRs: []
-
- # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs.
- # Value ignored when enableNodeIPAM is false.
- # serviceCIDR:
- # serviceCIDRv6:
-
- # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false
- # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30.
- # nodeCIDRMaskSizeIPv4: 24
-
- # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
- # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
- # nodeCIDRMaskSizeIPv6: 64
-kind: ConfigMap
+ # Enable the integrated Node IPAM controller within the Antrea controller.
+ enableNodeIPAM: false
+ # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges.
+ # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family.
+ # Value ignored when enableNodeIPAM is false.
+ clusterCIDRs:
+ # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs.
+ # Value ignored when enableNodeIPAM is false.
+ serviceCIDR: ""
+ serviceCIDRv6: ""
+ # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false
+ # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30.
+ nodeCIDRMaskSizeIPv4: 24
+ # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
+ # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
+ nodeCIDRMaskSizeIPv6: 64
+---
+# Source: antrea/templates/crds/antreaagentinfo.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: antreaagentinfos.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ additionalPrinterColumns:
+ - description: Health status of this Agent
+ jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status"
+ name: Healthy
+ type: string
+ - description: Last time the Healthy Condition was updated
+ jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime"
+ name: Last Heartbeat
+ type: date
+ - description: Version of this Agent
+ jsonPath: ".version"
+ name: Version
+ type: string
+ priority: 1
+ - description: Node on which this Agent is running
+ jsonPath: ".nodeRef.name"
+ name: Node
+ type: string
+ priority: 1
+ - description: Number of local Pods managed by this Agent
+ jsonPath: ".localPodNum"
+ name: Num Pods
+ type: integer
+ priority: 2
+ - description: Subnets used by this Agent for Pod IPAM
+ jsonPath: ".nodeSubnets"
+ name: Subnets
+ type: string
+ priority: 2
+ scope: Cluster
+ names:
+ plural: antreaagentinfos
+ singular: antreaagentinfo
+ kind: AntreaAgentInfo
+ shortNames:
+ - aai
+---
+# Source: antrea/templates/crds/antreacontrollerinfo.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: antreacontrollerinfos.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ additionalPrinterColumns:
+ - description: Health status of the Controller
+ jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status"
+ name: Healthy
+ type: string
+ - description: Last time the Healthy Condition was updated
+ jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime"
+ name: Last Heartbeat
+ type: date
+ - description: Version of the Controller
+ jsonPath: ".version"
+ name: Version
+ type: string
+ priority: 1
+ - description: Number of Agents connected to the Controller
+ jsonPath: ".connectedAgentNum"
+ name: Connected Agents
+ type: integer
+ priority: 1
+ - description: Node on which the Controller is running
+ jsonPath: ".nodeRef.name"
+ name: Node
+ type: string
+ priority: 1
+ - description: Number of Network Policies computed by Controller
+ jsonPath: ".networkPolicyControllerInfo.networkPolicyNum"
+ name: Num Network Policies
+ type: integer
+ priority: 2
+ scope: Cluster
+ names:
+ plural: antreacontrollerinfos
+ singular: antreacontrollerinfo
+ kind: AntreaControllerInfo
+ shortNames:
+ - aci
+---
+# Source: antrea/templates/crds/clustergroup.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: clustergroups.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: false
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ type: object
+ properties:
+ childGroups:
+ type: array
+ items:
+ type: string
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ ipBlocks:
+ type: array
+ items:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ serviceReference:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ status:
+ type: object
+ properties:
+ conditions:
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ type: string
+ status:
+ type: string
+ lastTransitionTime:
+ type: string
+ - name: v1alpha3
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ type: object
+ properties:
+ childGroups:
+ type: array
+ items:
+ type: string
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlocks:
+ type: array
+ items:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ serviceReference:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ status:
+ type: object
+ properties:
+ conditions:
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ type: string
+ status:
+ type: string
+ lastTransitionTime:
+ type: string
+ subresources:
+ status: {}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions: ["v1", "v1beta1"]
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: "kube-system"
+ path: "/convert/clustergroup"
+ scope: Cluster
+ names:
+ plural: clustergroups
+ singular: clustergroup
+ kind: ClusterGroup
+ shortNames:
+ - cg
+---
+# Source: antrea/templates/crds/clusternetworkpolicy.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: clusternetworkpolicies.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - name: Tier
+ type: string
+ description: The Tier to which this ClusterNetworkPolicy belongs to.
+ jsonPath: .spec.tier
+ - name: Priority
+ type: number
+ format: float
+ description: The Priority of this ClusterNetworkPolicy relative to other policies.
+ jsonPath: .spec.priority
+ - name: Desired Nodes
+ type: number
+ format: int32
+ description: The total number of Nodes that should realize the NetworkPolicy.
+ jsonPath: .status.desiredNodesRealized
+ - name: Current Nodes
+ type: number
+ format: int32
+ description: The number of Nodes that have realized the NetworkPolicy.
+ jsonPath: .status.currentNodesRealized
+ - name: Age
+ type: date
+ jsonPath: .metadata.creationTimestamp
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ # Ensure that Spec.Priority field is set
+ required:
+ - priority
+ type: object
+ properties:
+ tier:
+ type: string
+ priority:
+ type: number
+ format: float
+ # Ensure that Spec.Priority field is between 1 and 10000
+ minimum: 1.0
+ maximum: 10000.0
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that Spec.AppliedTo does not allow IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ ingress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ from:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaces:
+ type: object
+ properties:
+ match:
+ enum:
+ - Self
+ type: string
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ egress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ to:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaces:
+ type: object
+ properties:
+ match:
+ type: string
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ group:
+ type: string
+ fqdn:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ toServices:
+ type: array
+ items:
+ type: object
+ required:
+ - name
+ - namespace
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ status:
+ type: object
+ properties:
+ phase:
+ type: string
+ observedGeneration:
+ type: integer
+ currentNodesRealized:
+ type: integer
+ desiredNodesRealized:
+ type: integer
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: clusternetworkpolicies
+ singular: clusternetworkpolicy
+ kind: ClusterNetworkPolicy
+ shortNames:
+ - acnp
+---
+# Source: antrea/templates/crds/egress.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: egresses.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ type: object
+ required:
+ - appliedTo
+ anyOf:
+ - required:
+ - egressIP
+ - required:
+ - externalIPPool
+ properties:
+ appliedTo:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ egressIP:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ externalIPPool:
+ type: string
+ status:
+ type: object
+ properties:
+ egressNode:
+ type: string
+ additionalPrinterColumns:
+ - description: Specifies the SNAT IP address for the selected workloads.
+ jsonPath: .spec.egressIP
+ name: EgressIP
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: The Owner Node of egress IP
+ jsonPath: .status.egressNode
+ name: Node
+ type: string
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: egresses
+ singular: egress
+ kind: Egress
+ shortNames:
+ - eg
+---
+# Source: antrea/templates/crds/externalentity.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: externalentities.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ type: object
+ properties:
+ endpoints:
+ type: array
+ items:
+ type: object
+ properties:
+ ip:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ name:
+ type: string
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ name:
+ type: string
+ externalNode:
+ type: string
+ - name: v1alpha1
+ served: false
+ storage: false
+ schema:
+ openAPIV3Schema:
+ type: object
+ scope: Namespaced
+ names:
+ plural: externalentities
+ singular: externalentity
+ kind: ExternalEntity
+ shortNames:
+ - ee
+---
+# Source: antrea/templates/crds/externalippool.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: externalippools.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ type: object
+ required:
+ - ipRanges
+ - nodeSelector
+ properties:
+ ipRanges:
+ type: array
+ items:
+ type: object
+ oneOf:
+ - required:
+ - cidr
+ - required:
+ - start
+ - end
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ start:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ end:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ status:
+ type: object
+ properties:
+ usage:
+ type: object
+ properties:
+ total:
+ type: integer
+ used:
+ type: integer
+ additionalPrinterColumns:
+ - description: The number of total IPs
+ jsonPath: .status.usage.total
+ name: Total
+ type: integer
+ - description: The number of allocated IPs
+ jsonPath: .status.usage.used
+ name: Used
+ type: integer
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: externalippools
+ singular: externalippool
+ kind: ExternalIPPool
+ shortNames:
+ - eip
+---
+# Source: antrea/templates/crds/ippool.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: ippools.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ required:
+ - ipVersion
+ - ipRanges
+ type: object
+ properties:
+ ipVersion:
+ type: integer
+ ipRanges:
+ items:
+ oneOf:
+ - required:
+ - cidr
+ - gateway
+ - prefixLength
+ - required:
+ - start
+ - end
+ - gateway
+ - prefixLength
+ properties:
+ cidr:
+ format: cidr
+ type: string
+ start:
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ type: string
+ end:
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ type: string
+ gateway:
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ type: string
+ prefixLength:
+ type: integer
+ vlan:
+ type: integer
+ minimum: 0
+ maximum: 4094
+ type: object
+ type: array
+ status:
+ properties:
+ ipAddresses:
+ items:
+ properties:
+ ipAddress:
+ type: string
+ owner:
+ properties:
+ pod:
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ containerID:
+ type: string
+ ifName:
+ type: string
+ type: object
+ statefulSet:
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ index:
+ type: integer
+ type: object
+ type: object
+ phase:
+ type: string
+ type: object
+ type: array
+ type: object
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: ippools
+ singular: ippool
+ kind: IPPool
+ shortNames:
+ - ipp
+---
+# Source: antrea/templates/crds/networkpolicy.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: networkpolicies.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - name: Tier
+ type: string
+ description: The Tier to which this Antrea NetworkPolicy belongs to.
+ jsonPath: .spec.tier
+ - name: Priority
+ type: number
+ format: float
+ description: The Priority of this Antrea NetworkPolicy relative to other policies.
+ jsonPath: .spec.priority
+ - name: Desired Nodes
+ type: number
+ format: int32
+ description: The total number of Nodes that should realize the NetworkPolicy.
+ jsonPath: .status.desiredNodesRealized
+ - name: Current Nodes
+ type: number
+ format: int32
+ description: The number of Nodes that have realized the NetworkPolicy.
+ jsonPath: .status.currentNodesRealized
+ - name: Age
+ type: date
+ jsonPath: .metadata.creationTimestamp
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ # Ensure that Spec.Priority field is set
+ required:
+ - priority
+ type: object
+ properties:
+ tier:
+ type: string
+ priority:
+ type: number
+ format: float
+ # Ensure that Spec.Priority field is between 1 and 10000
+ minimum: 1.0
+ maximum: 10000.0
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ingress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ from:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ egress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ to:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ fqdn:
+ type: string
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ toServices:
+ type: array
+ items:
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ status:
+ type: object
+ properties:
+ phase:
+ type: string
+ observedGeneration:
+ type: integer
+ currentNodesRealized:
+ type: integer
+ desiredNodesRealized:
+ type: integer
+ subresources:
+ status: {}
+ scope: Namespaced
+ names:
+ plural: networkpolicies
+ singular: networkpolicy
+ kind: NetworkPolicy
+ shortNames:
+ - anp
+---
+# Source: antrea/templates/crds/tier.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: tiers.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - name: Priority
+ type: integer
+ description: The Priority of this Tier relative to other Tiers.
+ jsonPath: .spec.priority
+ - name: Age
+ type: date
+ jsonPath: .metadata.creationTimestamp
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ required:
+ - priority
+ type: object
+ properties:
+ priority:
+ type: integer
+ minimum: 0
+ maximum: 255
+ description:
+ type: string
+ scope: Cluster
+ names:
+ plural: tiers
+ singular: tier
+ kind: Tier
+ shortNames:
+ - tr
+---
+# Source: antrea/templates/crds/traceflow.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: traceflows.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - jsonPath: .status.phase
+ description: The phase of the Traceflow.
+ name: Phase
+ type: string
+ - jsonPath: .spec.source.pod
+ description: The name of the source Pod.
+ name: Source-Pod
+ type: string
+ priority: 10
+ - jsonPath: .spec.destination.pod
+ description: The name of the destination Pod.
+ name: Destination-Pod
+ type: string
+ priority: 10
+ - jsonPath: .spec.destination.ip
+ description: The IP address of the destination.
+ name: Destination-IP
+ type: string
+ priority: 10
+ - jsonPath: .spec.liveTraffic
+ description: Trace live traffic.
+ name: Live-Traffic
+ type: boolean
+ priority: 10
+ - jsonPath: .spec.droppedOnly
+ description: Capture only the dropped packet.
+ name: Dropped-Only
+ type: boolean
+ priority: 10
+ - jsonPath: .spec.timeout
+ description: Timeout in seconds.
+ name: Timeout
+ type: integer
+ priority: 10
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ type: object
+ properties:
+ source:
+ type: object
+ properties:
+ pod:
+ type: string
+ namespace:
+ type: string
+ ip:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ destination:
+ type: object
+ properties:
+ pod:
+ type: string
+ service:
+ type: string
+ namespace:
+ type: string
+ ip:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ packet:
+ type: object
+ properties:
+ ipHeader:
+ type: object
+ properties:
+ srcIP:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ protocol:
+ type: integer
+ ttl:
+ type: integer
+ flags:
+ type: integer
+ ipv6Header:
+ type: object
+ properties:
+ srcIP:
+ type: string
+ format: ipv6
+ nextHeader:
+ type: integer
+ hopLimit:
+ type: integer
+ transportHeader:
+ type: object
+ properties:
+ icmp:
+ type: object
+ properties:
+ id:
+ type: integer
+ sequence:
+ type: integer
+ udp:
+ type: object
+ properties:
+ srcPort:
+ type: integer
+ dstPort:
+ type: integer
+ tcp:
+ type: object
+ properties:
+ srcPort:
+ type: integer
+ dstPort:
+ type: integer
+ flags:
+ type: integer
+ liveTraffic:
+ type: boolean
+ droppedOnly:
+ type: boolean
+ timeout:
+ type: integer
+ status:
+ type: object
+ properties:
+ reason:
+ type: string
+ dataplaneTag:
+ type: integer
+ phase:
+ type: string
+ startTime:
+ type: string
+ results:
+ type: array
+ items:
+ type: object
+ properties:
+ node:
+ type: string
+ role:
+ type: string
+ timestamp:
+ type: integer
+ observations:
+ type: array
+ items:
+ type: object
+ properties:
+ component:
+ type: string
+ componentInfo:
+ type: string
+ action:
+ type: string
+ pod:
+ type: string
+ dstMAC:
+ type: string
+ networkPolicy:
+ type: string
+ ttl:
+ type: integer
+ translatedSrcIP:
+ type: string
+ translatedDstIP:
+ type: string
+ tunnelDstIP:
+ type: string
+ capturedPacket:
+ properties:
+ srcIP:
+ type: string
+ dstIP:
+ type: string
+ length:
+ type: integer
+ ipHeader:
+ properties:
+ flags:
+ type: integer
+ protocol:
+ type: integer
+ ttl:
+ type: integer
+ type: object
+ ipv6Header:
+ properties:
+ hopLimit:
+ type: integer
+ nextHeader:
+ type: integer
+ type: object
+ transportHeader:
+ properties:
+ tcp:
+ properties:
+ dstPort:
+ type: integer
+ srcPort:
+ type: integer
+ flags:
+ type: integer
+ type: object
+ udp:
+ properties:
+ dstPort:
+ type: integer
+ srcPort:
+ type: integer
+ type: object
+ icmp:
+ properties:
+ id:
+ type: integer
+ sequence:
+ type: integer
+ type: object
+ type: object
+ type: object
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: traceflows
+ singular: traceflow
+ kind: Traceflow
+ shortNames:
+ - tf
+---
+# Source: antrea/templates/agent/clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-agent
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - nodes/status
+ verbs:
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - pods/status
+ verbs:
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - endpoints
+ - services
+ - namespaces
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - services/status
+ verbs:
+ - update
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - antreaagentinfos
+ verbs:
+ - get
+ - create
+ - update
+ - delete
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - networkpolicies
+ - appliedtogroups
+ - addressgroups
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - egressgroups
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - nodestatssummaries
+ verbs:
+ - create
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - networkpolicies/status
+ verbs:
+ - create
+ - get
+ - apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+ - apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+ # This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
+ # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will
+ # have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
+ # See https://github.com/kubernetes/kubernetes/pull/85375
+ # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
+ # the extension-apiserver-authentication role.
+ - apiGroups:
+ - ""
+ resourceNames:
+ - extension-apiserver-authentication
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ resourceNames:
+ - antrea-ca
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - traceflows
+ - traceflows/status
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - egresses
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - egresses/status
+ verbs:
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalippools
+ - ippools
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - ippools/status
+ verbs:
+ - update
+ - apiGroups:
+ - k8s.cni.cncf.io
+ resources:
+ - network-attachment-definitions
+ verbs:
+ - get
+ - list
+ - watch
+---
+# Source: antrea/templates/antctl/clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antctl
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - networkpolicies
+ - appliedtogroups
+ - addressgroups
+ verbs:
+ - get
+ - list
+ - apiGroups:
+ - stats.antrea.io
+ resources:
+ - networkpolicystats
+ - antreaclusternetworkpolicystats
+ - antreanetworkpolicystats
+ verbs:
+ - get
+ - list
+ - apiGroups:
+ - system.antrea.io
+ resources:
+ - controllerinfos
+ - agentinfos
+ verbs:
+ - get
+ - apiGroups:
+ - system.antrea.io
+ resources:
+ - supportbundles
+ verbs:
+ - get
+ - post
+ - apiGroups:
+ - system.antrea.io
+ resources:
+ - supportbundles/download
+ verbs:
+ - get
+ - nonResourceURLs:
+ - /agentinfo
+ - /addressgroups
+ - /appliedtogroups
+ - /loglevel
+ - /networkpolicies
+ - /ovsflows
+ - /ovstracing
+ - /podinterfaces
+ - /featuregates
+ verbs:
+ - get
+---
+# Source: antrea/templates/cluster-identity-reader/clusterrolebinding.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-cluster-identity-reader
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ resourceNames:
+ - antrea-cluster-identity
+ verbs:
+ - get
+---
+# Source: antrea/templates/controller/clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-controller
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - services
+ - namespaces
+ - configmaps
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - watch
+ - list
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - services/status
+ verbs:
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - networkpolicies
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+ - apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - get
+ - update
+ # This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
+ # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-controller) will
+ # have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
+ # See https://github.com/kubernetes/kubernetes/pull/85375
+ # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
+ # the extension-apiserver-authentication role.
+ - apiGroups:
+ - ""
+ resourceNames:
+ - extension-apiserver-authentication
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ resourceNames:
+ - antrea-ca
+ - antrea-cluster-identity
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - apiregistration.k8s.io
+ resources:
+ - apiservices
+ resourceNames:
+ - v1alpha1.stats.antrea.io
+ - v1beta1.system.antrea.io
+ - v1beta2.controlplane.antrea.io
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - apiregistration.k8s.io
+ resources:
+ - apiservices
+ resourceNames:
+ - v1beta1.networking.antrea.tanzu.vmware.com
+ - v1beta1.controlplane.antrea.tanzu.vmware.com
+ - v1alpha1.stats.antrea.tanzu.vmware.com
+ - v1beta1.system.antrea.tanzu.vmware.com
+ - v1beta2.controlplane.antrea.tanzu.vmware.com
+ verbs:
+ - delete
+ - apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - mutatingwebhookconfigurations
+ - validatingwebhookconfigurations
+ resourceNames:
+ # always give permissions for labelsmutator.antrea.io, even when the
+ # feature is disabled, to avoid errors in antrea-controller when updating
+ # the CA cert.
+ - labelsmutator.antrea.io
+ - crdmutator.antrea.io
+ - crdvalidator.antrea.io
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - antreacontrollerinfos
+ verbs:
+ - get
+ - create
+ - update
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - antreaagentinfos
+ verbs:
+ - list
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - clusternetworkpolicies
+ - networkpolicies
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - clusternetworkpolicies/status
+ - networkpolicies/status
+ verbs:
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - tiers
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - traceflows
+ - traceflows/status
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalentities
+ - clustergroups
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - clustergroups/status
+ verbs:
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - egresses
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalippools
+ - ippools
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalippools/status
+ - ippools/status
+ verbs:
+ - update
+ - apiGroups:
+ - apps
+ resources:
+ - statefulsets
+ verbs:
+ - get
+ - list
+ - watch
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
metadata:
+ name: aggregate-antrea-policies-edit
labels:
app: antrea
- name: antrea-config-mkbgmf6ct6
- namespace: kube-system
+ # Add these permissions to the "admin" and "edit" default roles.
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clusternetworkpolicies", "networkpolicies"]
+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
-apiVersion: v1
-kind: Service
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: aggregate-antrea-policies-view
+ labels:
+ app: antrea
+ # Add these permissions to the "view" default role.
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clusternetworkpolicies", "networkpolicies"]
+ verbs: ["get", "list", "watch"]
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: aggregate-traceflows-edit
+ labels:
+ app: antrea
+ # Add these permissions to the "admin" and "edit" default roles.
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["traceflows"]
+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
+ name: aggregate-traceflows-view
+ labels:
+ app: antrea
+ # Add these permissions to the "view" default role.
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["traceflows"]
+ verbs: ["get", "list", "watch"]
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: aggregate-antrea-clustergroups-edit
+ labels:
+ app: antrea
+ # Add these permissions to the "admin" and "edit" default roles.
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clustergroups"]
+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: aggregate-antrea-clustergroups-view
+ labels:
+ app: antrea
+ # Add these permissions to the "view" default role.
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clustergroups"]
+ verbs: ["get", "list", "watch"]
+---
+# Source: antrea/templates/agent/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-agent
+ labels:
+ app: antrea
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: antrea-agent
+subjects:
+ - kind: ServiceAccount
+ name: antrea-agent
+ namespace: kube-system
+---
+# Source: antrea/templates/antctl/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app: antrea
+ name: antctl
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: antctl
+subjects:
+ - kind: ServiceAccount
+ name: antctl
+ namespace: kube-system
+---
+# Source: antrea/templates/controller/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-controller
labels:
app: antrea
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: antrea-controller
+subjects:
+ - kind: ServiceAccount
+ name: antrea-controller
+ namespace: kube-system
+---
+# Source: antrea/templates/controller/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
name: antrea
namespace: kube-system
+ labels:
+ app: antrea
spec:
ports:
- - port: 443
- protocol: TCP
- targetPort: api
+ - port: 443
+ protocol: TCP
+ targetPort: api
selector:
app: antrea
component: antrea-controller
---
+# Source: antrea/templates/agent/daemonset.yaml
apiVersion: apps/v1
-kind: Deployment
+kind: DaemonSet
metadata:
+ name: antrea-agent
+ namespace: kube-system
labels:
app: antrea
- component: antrea-controller
+ component: antrea-agent
+spec:
+ selector:
+ matchLabels:
+ app: antrea
+ component: antrea-agent
+ updateStrategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ annotations:
+ # Starting with v1.21, Kubernetes supports default container annotation.
+ # Using "kubectl logs/exec/attach/cp" doesn't have to specify "-c antrea-agent" when troubleshooting.
+ kubectl.kubernetes.io/default-container: antrea-agent
+ # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
+ # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
+ checksum/config: cb46b22ec258614e4df2cc06aaaba03d2a3ecd008de23288dbdce9cd3cc68647
+ labels:
+ app: antrea
+ component: antrea-agent
+ spec:
+ hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
+ priorityClassName: system-node-critical
+ nodeSelector:
+ kubernetes.io/os: linux
+ tolerations:
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoSchedule
+ operator: Exists
+ - effect: NoExecute
+ operator: Exists
+ serviceAccountName: antrea-agent
+ initContainers:
+ - name: install-cni
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 100m
+ command: ["install_cni_chaining"]
+ securityContext:
+ capabilities:
+ add:
+ # SYS_MODULE is required to load the OVS kernel module.
+ - SYS_MODULE
+ env:
+ # SKIP_CNI_BINARIES takes in values as a comma separated list of
+ # binaries that need to be skipped for installation, e.g. "portmap, bandwidth".
+ - name: SKIP_CNI_BINARIES
+ value: ""
+ volumeMounts:
+ - name: antrea-config
+ mountPath: /etc/antrea/antrea-cni.conflist
+ subPath: antrea-cni.conflist
+ readOnly: true
+ - name: host-cni-conf
+ mountPath: /host/etc/cni/net.d
+ - name: host-cni-bin
+ mountPath: /host/opt/cni/bin
+ # For loading the OVS kernel module.
+ - name: host-lib-modules
+ mountPath: /lib/modules
+ readOnly: true
+ # For changing the default permissions of the run directory.
+ - name: host-var-run-antrea
+ mountPath: /var/run/antrea
+ containers:
+ - name: antrea-agent
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ command: ["antrea-agent"]
+ # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).-
+ args:
+ - "--config=/etc/antrea/antrea-agent.conf"
+ - "--logtostderr=false"
+ - "--log_dir=/var/log/antrea"
+ - "--alsologtostderr"
+ - "--log_file_max_size=100"
+ - "--log_file_max_num=4"
+ env:
+ # Provide pod and node information for clusterinformation CRD.
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: "ANTREA_CLOUD_EKS"
+ value: "true"
+ resources:
+ requests:
+ cpu: 200m
+ ports:
+ - containerPort: 10350
+ name: api
+ protocol: TCP
+ livenessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - container_liveness_probe agent
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ failureThreshold: 5
+ readinessProbe:
+ httpGet:
+ host: localhost
+ path: /readyz
+ port: api
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ # In large-scale clusters, it may take up to 40~50 seconds for the antrea-agent to reconnect to the antrea
+ # Service after the antrea-controller restarts. The antrea-agent shouldn't be reported as NotReady in this
+ # scenario, otherwise the DaemonSet controller would restart all agents at once, as opposed to performing a
+ # rolling update. Set failureThreshold to 8 so it can tolerate 70s of disconnection.
+ failureThreshold: 8
+ securityContext:
+ # antrea-agent needs to perform sysctl configuration.
+ privileged: true
+ volumeMounts:
+ - name: antrea-config
+ mountPath: /etc/antrea/antrea-agent.conf
+ subPath: antrea-agent.conf
+ readOnly: true
+ - name: host-var-run-antrea
+ mountPath: /var/run/antrea
+ - name: host-var-run-antrea
+ mountPath: /var/run/openvswitch
+ subPath: openvswitch
+ # host-local IPAM stores allocated IP addresses as files in /var/lib/cni/networks/$NETWORK_NAME.
+ # Mount a sub-directory of host-var-run-antrea to it for persistence of IP allocation.
+ - name: host-var-run-antrea
+ mountPath: /var/lib/cni
+ subPath: cni
+ # We need to mount both the /proc directory and the /var/run/netns directory so that
+ # antrea-agent can open the network namespace path when setting up Pod
+ # networking. Different container runtimes may use /proc or /var/run/netns when invoking
+ # the CNI commands. Docker uses /proc and containerd uses /var/run/netns.
+ - name: host-var-log-antrea
+ mountPath: /var/log/antrea
+ - name: host-proc
+ mountPath: /host/proc
+ readOnly: true
+ - name: host-var-run-netns
+ mountPath: /host/var/run/netns
+ readOnly: true
+ # When a container is created, a mount point for the network namespace is added under
+ # /var/run/netns on the host, which needs to be propagated to the antrea-agent container.
+ mountPropagation: HostToContainer
+ - name: xtables-lock
+ mountPath: /run/xtables.lock
+ - name: antrea-ovs
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 200m
+ command: ["start_ovs"]
+ args:
+ - "--log_file_max_size=100"
+ - "--log_file_max_num=4"
+ securityContext:
+ # capabilities required by OVS daemons
+ capabilities:
+ add:
+ - SYS_NICE
+ - NET_ADMIN
+ - SYS_ADMIN
+ - IPC_LOCK
+ livenessProbe:
+ exec:
+ # docker CRI doesn't honor timeoutSeconds, add "timeout" to the command as a workaround.
+ # https://github.com/kubernetes/kubernetes/issues/51901
+ command:
+ - /bin/sh
+ - -c
+ - timeout 10 container_liveness_probe ovs
+ initialDelaySeconds: 5
+ timeoutSeconds: 10
+ periodSeconds: 10
+ failureThreshold: 5
+ volumeMounts:
+ - name: host-var-run-antrea
+ mountPath: /var/run/openvswitch
+ subPath: openvswitch
+ - name: host-var-log-antrea
+ mountPath: /var/log/openvswitch
+ subPath: openvswitch
+ volumes:
+ - name: antrea-config
+ configMap:
+ name: antrea-config
+ - name: host-cni-conf
+ hostPath:
+ path: /etc/cni/net.d
+ - name: host-cni-bin
+ hostPath:
+ path: /opt/cni/bin
+ - name: host-proc
+ hostPath:
+ path: /proc
+ - name: host-var-run-netns
+ hostPath:
+ path: /var/run/netns
+ - name: host-var-run-antrea
+ hostPath:
+ path: /var/run/antrea
+ # we use subPath to create run subdirectories for different component (e.g. OVS) and
+ # subPath requires the base volume to exist
+ type: DirectoryOrCreate
+ - name: host-var-log-antrea
+ hostPath:
+ path: /var/log/antrea
+ # we use subPath to create logging subdirectories for different component (e.g. OVS)
+ type: DirectoryOrCreate
+ - name: host-lib-modules
+ hostPath:
+ path: /lib/modules
+ - name: xtables-lock
+ hostPath:
+ path: /run/xtables.lock
+ type: FileOrCreate
+---
+# Source: antrea/templates/controller/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
name: antrea-controller
namespace: kube-system
+ labels:
+ app: antrea
+ component: antrea-controller
spec:
- replicas: 1
+ strategy:
+ # Ensure the existing Pod is stopped before the new one is created.
+ type: Recreate
selector:
matchLabels:
app: antrea
component: antrea-controller
- strategy:
- type: Recreate
+ replicas: 1
template:
metadata:
+ annotations:
+ # Automatically restart Pod if the ConfigMap changes
+ # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
+ checksum/config: cb46b22ec258614e4df2cc06aaaba03d2a3ecd008de23288dbdce9cd3cc68647
labels:
app: antrea
component: antrea-controller
spec:
- containers:
- - args:
- - --config
- - /etc/antrea/antrea-controller.conf
- - --logtostderr=false
- - --log_dir=/var/log/antrea
- - --alsologtostderr
- - --log_file_max_size=100
- - --log_file_max_num=4
- - --v=0
- command:
- - antrea-controller
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: SERVICEACCOUNT_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.serviceAccountName
- - name: ANTREA_CONFIG_MAP_NAME
- value: antrea-config-mkbgmf6ct6
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- livenessProbe:
- failureThreshold: 5
- httpGet:
- host: localhost
- path: /livez
- port: api
- scheme: HTTPS
- periodSeconds: 10
- timeoutSeconds: 5
- name: antrea-controller
- ports:
- - containerPort: 10349
- name: api
- protocol: TCP
- readinessProbe:
- failureThreshold: 5
- httpGet:
- host: localhost
- path: /readyz
- port: api
- scheme: HTTPS
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 5
- resources:
- requests:
- cpu: 200m
- volumeMounts:
- - mountPath: /etc/antrea/antrea-controller.conf
- name: antrea-config
- readOnly: true
- subPath: antrea-controller.conf
- - mountPath: /var/run/antrea/antrea-controller-tls
- name: antrea-controller-tls
- - mountPath: /var/log/antrea
- name: host-var-log-antrea
- hostNetwork: true
nodeSelector:
kubernetes.io/os: linux
+ hostNetwork: true
priorityClassName: system-cluster-critical
- serviceAccountName: antrea-controller
tolerations:
- - key: CriticalAddonsOnly
- operator: Exists
- - effect: NoSchedule
- key: node-role.kubernetes.io/master
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/master
+ serviceAccountName: antrea-controller
+ containers:
+ - name: antrea-controller
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 200m
+ command: ["antrea-controller"]
+ # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).
+ args:
+ - "--config=/etc/antrea/antrea-controller.conf"
+ - "--logtostderr=false"
+ - "--log_dir=/var/log/antrea"
+ - "--alsologtostderr"
+ - "--log_file_max_size=100"
+ - "--log_file_max_num=4"
+ env:
+ # Provide pod and node information for clusterinformation CRD.
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ # Provide ServiceAccount name for validation webhook.
+ - name: SERVICEACCOUNT_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: ANTREA_CONFIG_MAP_NAME
+ value: antrea-config
+ ports:
+ - containerPort: 10349
+ name: api
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ host: localhost
+ path: /readyz
+ port: api
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ failureThreshold: 5
+ livenessProbe:
+ httpGet:
+ host: localhost
+ path: /livez
+ port: api
+ scheme: HTTPS
+ timeoutSeconds: 5
+ periodSeconds: 10
+ failureThreshold: 5
+ volumeMounts:
+ - name: antrea-config
+ mountPath: /etc/antrea/antrea-controller.conf
+ subPath: antrea-controller.conf
+ readOnly: true
+ - name: antrea-controller-tls
+ mountPath: /var/run/antrea/antrea-controller-tls
+ - name: host-var-log-antrea
+ mountPath: /var/log/antrea
volumes:
- - configMap:
- name: antrea-config-mkbgmf6ct6
- name: antrea-config
- - name: antrea-controller-tls
- secret:
- defaultMode: 256
- optional: true
- secretName: antrea-controller-tls
- - hostPath:
- path: /var/log/antrea
- type: DirectoryOrCreate
- name: host-var-log-antrea
+ - name: antrea-config
+ configMap:
+ name: antrea-config
+ # Make it optional as we only read it when selfSignedCert=false.
+ - name: antrea-controller-tls
+ secret:
+ secretName: antrea-controller-tls
+ defaultMode: 0400
+ optional: true
+ - name: host-var-log-antrea
+ hostPath:
+ path: /var/log/antrea
+ type: DirectoryOrCreate
---
+# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
+ name: v1beta2.controlplane.antrea.io
labels:
app: antrea
- name: v1alpha1.stats.antrea.io
spec:
- group: stats.antrea.io
+ group: controlplane.antrea.io
groupPriorityMinimum: 100
+ version: v1beta2
+ versionPriority: 100
service:
name: antrea
namespace: kube-system
- version: v1alpha1
- versionPriority: 100
---
+# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
+ name: v1beta1.system.antrea.io
labels:
app: antrea
- name: v1beta1.system.antrea.io
spec:
group: system.antrea.io
groupPriorityMinimum: 100
+ version: v1beta1
+ versionPriority: 100
service:
name: antrea
namespace: kube-system
- version: v1beta1
- versionPriority: 100
---
+# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
+ name: v1alpha1.stats.antrea.io
labels:
app: antrea
- name: v1beta2.controlplane.antrea.io
spec:
- group: controlplane.antrea.io
+ group: stats.antrea.io
groupPriorityMinimum: 100
+ version: v1alpha1
+ versionPriority: 100
service:
name: antrea
namespace: kube-system
- version: v1beta2
- versionPriority: 100
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- labels:
- app: antrea
- component: antrea-agent
- name: antrea-agent
- namespace: kube-system
-spec:
- selector:
- matchLabels:
- app: antrea
- component: antrea-agent
- template:
- metadata:
- annotations:
- kubectl.kubernetes.io/default-container: antrea-agent
- labels:
- app: antrea
- component: antrea-agent
- spec:
- containers:
- - args:
- - --config
- - /etc/antrea/antrea-agent.conf
- - --logtostderr=false
- - --log_dir=/var/log/antrea
- - --alsologtostderr
- - --log_file_max_size=100
- - --log_file_max_num=4
- - --v=0
- command:
- - antrea-agent
- env:
- - name: ANTREA_CLOUD_EKS
- value: "true"
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- livenessProbe:
- exec:
- command:
- - /bin/sh
- - -c
- - container_liveness_probe agent
- failureThreshold: 5
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 5
- name: antrea-agent
- ports:
- - containerPort: 10350
- name: api
- protocol: TCP
- readinessProbe:
- failureThreshold: 8
- httpGet:
- host: localhost
- path: /readyz
- port: api
- scheme: HTTPS
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 5
- resources:
- requests:
- cpu: 200m
- securityContext:
- privileged: true
- volumeMounts:
- - mountPath: /etc/antrea/antrea-agent.conf
- name: antrea-config
- readOnly: true
- subPath: antrea-agent.conf
- - mountPath: /var/run/antrea
- name: host-var-run-antrea
- - mountPath: /var/run/openvswitch
- name: host-var-run-antrea
- subPath: openvswitch
- - mountPath: /var/lib/cni
- name: host-var-run-antrea
- subPath: cni
- - mountPath: /var/log/antrea
- name: host-var-log-antrea
- - mountPath: /host/proc
- name: host-proc
- readOnly: true
- - mountPath: /host/var/run/netns
- mountPropagation: HostToContainer
- name: host-var-run-netns
- readOnly: true
- - mountPath: /run/xtables.lock
- name: xtables-lock
- - args:
- - --log_file_max_size=100
- - --log_file_max_num=4
- command:
- - start_ovs
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- livenessProbe:
- exec:
- command:
- - /bin/sh
- - -c
- - timeout 10 container_liveness_probe ovs
- failureThreshold: 5
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 10
- name: antrea-ovs
- resources:
- requests:
- cpu: 200m
- securityContext:
- capabilities:
- add:
- - SYS_NICE
- - NET_ADMIN
- - SYS_ADMIN
- - IPC_LOCK
- volumeMounts:
- - mountPath: /var/run/openvswitch
- name: host-var-run-antrea
- subPath: openvswitch
- - mountPath: /var/log/openvswitch
- name: host-var-log-antrea
- subPath: openvswitch
- dnsPolicy: ClusterFirstWithHostNet
- hostNetwork: true
- initContainers:
- - command:
- - install_cni_chaining
- env:
- - name: SKIP_CNI_BINARIES
- value: ""
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- name: install-cni
- resources:
- requests:
- cpu: 100m
- securityContext:
- capabilities:
- add:
- - SYS_MODULE
- volumeMounts:
- - mountPath: /etc/antrea/antrea-cni.conflist
- name: antrea-config
- readOnly: true
- subPath: antrea-cni.conflist
- - mountPath: /host/etc/cni/net.d
- name: host-cni-conf
- - mountPath: /host/opt/cni/bin
- name: host-cni-bin
- - mountPath: /lib/modules
- name: host-lib-modules
- readOnly: true
- - mountPath: /var/run/antrea
- name: host-var-run-antrea
- nodeSelector:
- kubernetes.io/os: linux
- priorityClassName: system-node-critical
- serviceAccountName: antrea-agent
- tolerations:
- - key: CriticalAddonsOnly
- operator: Exists
- - effect: NoSchedule
- operator: Exists
- - effect: NoExecute
- operator: Exists
- volumes:
- - configMap:
- name: antrea-config-mkbgmf6ct6
- name: antrea-config
- - hostPath:
- path: /etc/cni/net.d
- name: host-cni-conf
- - hostPath:
- path: /opt/cni/bin
- name: host-cni-bin
- - hostPath:
- path: /proc
- name: host-proc
- - hostPath:
- path: /var/run/netns
- name: host-var-run-netns
- - hostPath:
- path: /var/run/antrea
- type: DirectoryOrCreate
- name: host-var-run-antrea
- - hostPath:
- path: /var/log/antrea
- type: DirectoryOrCreate
- name: host-var-log-antrea
- - hostPath:
- path: /lib/modules
- name: host-lib-modules
- - hostPath:
- path: /run/xtables.lock
- type: FileOrCreate
- name: xtables-lock
- updateStrategy:
- type: RollingUpdate
---
+# Source: antrea/templates/webhooks/mutating/crdmutator.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
+ name: "crdmutator.antrea.io"
labels:
app: antrea
- name: crdmutator.antrea.io
webhooks:
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /mutate/acnp
- name: acnpmutator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - clusternetworkpolicies
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /mutate/anp
- name: anpmutator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - networkpolicies
- scope: Namespaced
- sideEffects: None
- timeoutSeconds: 5
+ - name: "acnpmutator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/mutate/acnp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["clusternetworkpolicies"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "anpmutator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/mutate/anp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["networkpolicies"]
+ scope: "Namespaced"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
---
+# Source: antrea/templates/webhooks/validating/crdvalidator.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
+ name: "crdvalidator.antrea.io"
labels:
app: antrea
- name: crdvalidator.antrea.io
webhooks:
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/tier
- name: tiervalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- - DELETE
- resources:
- - tiers
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/acnp
- name: acnpvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - clusternetworkpolicies
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/anp
- name: anpvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - networkpolicies
- scope: Namespaced
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/clustergroup
- name: clustergroupvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha3
- - v1alpha2
- operations:
- - CREATE
- - UPDATE
- resources:
- - clustergroups
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/externalippool
- name: externalippoolvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha2
- operations:
- - UPDATE
- resources:
- - externalippools
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/egress
- name: egressvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha2
- operations:
- - CREATE
- - UPDATE
- resources:
- - egresses
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/ippool
- name: ippoolvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha2
- operations:
- - CREATE
- - UPDATE
- - DELETE
- resources:
- - ippools
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
+ - name: "tiervalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/tier"
+ rules:
+ - operations: ["CREATE", "UPDATE", "DELETE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["tiers"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "acnpvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/acnp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["clusternetworkpolicies"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "anpvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/anp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["networkpolicies"]
+ scope: "Namespaced"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "clustergroupvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/clustergroup"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha3", "v1alpha2"]
+ resources: ["clustergroups"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "externalippoolvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/externalippool"
+ rules:
+ - operations: ["UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha2"]
+ resources: ["externalippools"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "egressvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/egress"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha2"]
+ resources: ["egresses"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "ippoolvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/ippool"
+ rules:
+ - operations: ["CREATE", "UPDATE", "DELETE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha2"]
+ resources: ["ippools"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
index 74e3af5e291..07b09802c4c 100644
--- a/build/yamls/antrea-gke.yml
+++ b/build/yamls/antrea-gke.yml
@@ -1,2742 +1,39 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+---
+# Source: antrea/templates/agent/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
metadata:
+ name: antrea-agent
+ namespace: kube-system
labels:
app: antrea
- name: antreaagentinfos.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: AntreaAgentInfo
- plural: antreaagentinfos
- shortNames:
- - aai
- singular: antreaagentinfo
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Health status of this Agent
- jsonPath: .agentConditions[?(@.type=='AgentHealthy')].status
- name: Healthy
- type: string
- - description: Last time the Healthy Condition was updated
- jsonPath: .agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime
- name: Last Heartbeat
- type: date
- - description: Version of this Agent
- jsonPath: .version
- name: Version
- priority: 1
- type: string
- - description: Node on which this Agent is running
- jsonPath: .nodeRef.name
- name: Node
- priority: 1
- type: string
- - description: Number of local Pods managed by this Agent
- jsonPath: .localPodNum
- name: Num Pods
- priority: 2
- type: integer
- - description: Subnets used by this Agent for Pod IPAM
- jsonPath: .nodeSubnets
- name: Subnets
- priority: 2
- type: string
- name: v1beta1
- schema:
- openAPIV3Schema:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- served: true
- storage: true
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+# Source: antrea/templates/antctl/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
metadata:
+ name: antctl
+ namespace: kube-system
labels:
app: antrea
- name: antreacontrollerinfos.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: AntreaControllerInfo
- plural: antreacontrollerinfos
- shortNames:
- - aci
- singular: antreacontrollerinfo
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Health status of the Controller
- jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].status
- name: Healthy
- type: string
- - description: Last time the Healthy Condition was updated
- jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime
- name: Last Heartbeat
- type: date
- - description: Version of the Controller
- jsonPath: .version
- name: Version
- priority: 1
- type: string
- - description: Number of Agents connected to the Controller
- jsonPath: .connectedAgentNum
- name: Connected Agents
- priority: 1
- type: integer
- - description: Node on which the Controller is running
- jsonPath: .nodeRef.name
- name: Node
- priority: 1
- type: string
- - description: Number of Network Policies computed by Controller
- jsonPath: .networkPolicyControllerInfo.networkPolicyNum
- name: Num Network Policies
- priority: 2
- type: integer
- name: v1beta1
- schema:
- openAPIV3Schema:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- served: true
- storage: true
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+# Source: antrea/templates/controller/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
metadata:
+ name: antrea-controller
+ namespace: kube-system
labels:
app: antrea
- name: clustergroups.crd.antrea.io
-spec:
- conversion:
- strategy: Webhook
- webhook:
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /convert/clustergroup
- conversionReviewVersions:
- - v1
- - v1beta1
- group: crd.antrea.io
- names:
- kind: ClusterGroup
- plural: clustergroups
- shortNames:
- - cg
- singular: clustergroup
- scope: Cluster
- versions:
- - name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- childGroups:
- items:
- type: string
- type: array
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- ipBlocks:
- items:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- type: array
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceReference:
- properties:
- name:
- type: string
- namespace:
- type: string
- type: object
- type: object
- status:
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- type: string
- status:
- type: string
- type:
- type: string
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: false
- - name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- childGroups:
- items:
- type: string
- type: array
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- ipBlocks:
- items:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- type: array
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceReference:
- properties:
- name:
- type: string
- namespace:
- type: string
- type: object
- type: object
- status:
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- type: string
- status:
- type: string
- type:
- type: string
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+# Source: antrea/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
metadata:
+ name: antrea-config
+ namespace: kube-system
labels:
app: antrea
- name: clusternetworkpolicies.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: ClusterNetworkPolicy
- plural: clusternetworkpolicies
- shortNames:
- - acnp
- singular: clusternetworkpolicy
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The Tier to which this ClusterNetworkPolicy belongs to.
- jsonPath: .spec.tier
- name: Tier
- type: string
- - description: The Priority of this ClusterNetworkPolicy relative to other policies.
- format: float
- jsonPath: .spec.priority
- name: Priority
- type: number
- - description: The total number of Nodes that should realize the NetworkPolicy.
- format: int32
- jsonPath: .status.desiredNodesRealized
- name: Desired Nodes
- type: number
- - description: The number of Nodes that have realized the NetworkPolicy.
- format: int32
- jsonPath: .status.currentNodesRealized
- name: Current Nodes
- type: number
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- appliedTo:
- items:
- properties:
- group:
- type: string
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- egress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- group:
- type: string
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- to:
- items:
- properties:
- fqdn:
- type: string
- group:
- type: string
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- namespaces:
- properties:
- match:
- type: string
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- toServices:
- items:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- ingress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- group:
- type: string
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- from:
- items:
- properties:
- group:
- type: string
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- namespaces:
- properties:
- match:
- enum:
- - Self
- type: string
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- priority:
- format: float
- maximum: 10000
- minimum: 1
- type: number
- tier:
- type: string
- required:
- - priority
- type: object
- status:
- properties:
- currentNodesRealized:
- type: integer
- desiredNodesRealized:
- type: integer
- observedGeneration:
- type: integer
- phase:
- type: string
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: egresses.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: Egress
- plural: egresses
- shortNames:
- - eg
- singular: egress
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Specifies the SNAT IP address for the selected workloads.
- jsonPath: .spec.egressIP
- name: EgressIP
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- - description: The Owner Node of egress IP
- jsonPath: .status.egressNode
- name: Node
- type: string
- name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- anyOf:
- - required:
- - egressIP
- - required:
- - externalIPPool
- properties:
- appliedTo:
- properties:
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- egressIP:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- externalIPPool:
- type: string
- required:
- - appliedTo
- type: object
- status:
- properties:
- egressNode:
- type: string
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: externalentities.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: ExternalEntity
- plural: externalentities
- shortNames:
- - ee
- singular: externalentity
- scope: Namespaced
- versions:
- - name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- endpoints:
- items:
- properties:
- ip:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- name:
- type: string
- type: object
- type: array
- externalNode:
- type: string
- ports:
- items:
- properties:
- name:
- type: string
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: true
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- type: object
- served: false
- storage: false
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: externalippools.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: ExternalIPPool
- plural: externalippools
- shortNames:
- - eip
- singular: externalippool
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The number of total IPs
- jsonPath: .status.usage.total
- name: Total
- type: integer
- - description: The number of allocated IPs
- jsonPath: .status.usage.used
- name: Used
- type: integer
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- ipRanges:
- items:
- oneOf:
- - required:
- - cidr
- - required:
- - start
- - end
- properties:
- cidr:
- format: cidr
- type: string
- end:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- start:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- type: object
- type: array
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- required:
- - ipRanges
- - nodeSelector
- type: object
- status:
- properties:
- usage:
- properties:
- total:
- type: integer
- used:
- type: integer
- type: object
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: ippools.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: IPPool
- plural: ippools
- shortNames:
- - ipp
- singular: ippool
- scope: Cluster
- versions:
- - name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- ipRanges:
- items:
- oneOf:
- - required:
- - cidr
- - gateway
- - prefixLength
- - required:
- - start
- - end
- - gateway
- - prefixLength
- properties:
- cidr:
- format: cidr
- type: string
- end:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- gateway:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- prefixLength:
- type: integer
- start:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- vlan:
- maximum: 4094
- minimum: 0
- type: integer
- type: object
- type: array
- ipVersion:
- type: integer
- required:
- - ipVersion
- - ipRanges
- type: object
- status:
- properties:
- ipAddresses:
- items:
- properties:
- ipAddress:
- type: string
- owner:
- properties:
- pod:
- properties:
- containerID:
- type: string
- ifName:
- type: string
- name:
- type: string
- namespace:
- type: string
- type: object
- statefulSet:
- properties:
- index:
- type: integer
- name:
- type: string
- namespace:
- type: string
- type: object
- type: object
- phase:
- type: string
- type: object
- type: array
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: networkpolicies.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: NetworkPolicy
- plural: networkpolicies
- shortNames:
- - anp
- singular: networkpolicy
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: The Tier to which this Antrea NetworkPolicy belongs to.
- jsonPath: .spec.tier
- name: Tier
- type: string
- - description: The Priority of this Antrea NetworkPolicy relative to other policies.
- format: float
- jsonPath: .spec.priority
- name: Priority
- type: number
- - description: The total number of Nodes that should realize the NetworkPolicy.
- format: int32
- jsonPath: .status.desiredNodesRealized
- name: Desired Nodes
- type: number
- - description: The number of Nodes that have realized the NetworkPolicy.
- format: int32
- jsonPath: .status.currentNodesRealized
- name: Current Nodes
- type: number
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- appliedTo:
- items:
- properties:
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- egress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- to:
- items:
- properties:
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- fqdn:
- type: string
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- toServices:
- items:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- ingress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- from:
- items:
- properties:
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- priority:
- format: float
- maximum: 10000
- minimum: 1
- type: number
- tier:
- type: string
- required:
- - priority
- type: object
- status:
- properties:
- currentNodesRealized:
- type: integer
- desiredNodesRealized:
- type: integer
- observedGeneration:
- type: integer
- phase:
- type: string
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: tiers.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: Tier
- plural: tiers
- shortNames:
- - tr
- singular: tier
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The Priority of this Tier relative to other Tiers.
- jsonPath: .spec.priority
- name: Priority
- type: integer
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- description:
- type: string
- priority:
- maximum: 255
- minimum: 0
- type: integer
- required:
- - priority
- type: object
- type: object
- served: true
- storage: true
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: traceflows.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: Traceflow
- plural: traceflows
- shortNames:
- - tf
- singular: traceflow
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The phase of the Traceflow.
- jsonPath: .status.phase
- name: Phase
- type: string
- - description: The name of the source Pod.
- jsonPath: .spec.source.pod
- name: Source-Pod
- priority: 10
- type: string
- - description: The name of the destination Pod.
- jsonPath: .spec.destination.pod
- name: Destination-Pod
- priority: 10
- type: string
- - description: The IP address of the destination.
- jsonPath: .spec.destination.ip
- name: Destination-IP
- priority: 10
- type: string
- - description: Trace live traffic.
- jsonPath: .spec.liveTraffic
- name: Live-Traffic
- priority: 10
- type: boolean
- - description: Capture only the dropped packet.
- jsonPath: .spec.droppedOnly
- name: Dropped-Only
- priority: 10
- type: boolean
- - description: Timeout in seconds.
- jsonPath: .spec.timeout
- name: Timeout
- priority: 10
- type: integer
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- destination:
- properties:
- ip:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- namespace:
- type: string
- pod:
- type: string
- service:
- type: string
- type: object
- droppedOnly:
- type: boolean
- liveTraffic:
- type: boolean
- packet:
- properties:
- ipHeader:
- properties:
- flags:
- type: integer
- protocol:
- type: integer
- srcIP:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- ttl:
- type: integer
- type: object
- ipv6Header:
- properties:
- hopLimit:
- type: integer
- nextHeader:
- type: integer
- srcIP:
- format: ipv6
- type: string
- type: object
- transportHeader:
- properties:
- icmp:
- properties:
- id:
- type: integer
- sequence:
- type: integer
- type: object
- tcp:
- properties:
- dstPort:
- type: integer
- flags:
- type: integer
- srcPort:
- type: integer
- type: object
- udp:
- properties:
- dstPort:
- type: integer
- srcPort:
- type: integer
- type: object
- type: object
- type: object
- source:
- properties:
- ip:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- namespace:
- type: string
- pod:
- type: string
- type: object
- timeout:
- type: integer
- type: object
- status:
- properties:
- capturedPacket:
- properties:
- dstIP:
- type: string
- ipHeader:
- properties:
- flags:
- type: integer
- protocol:
- type: integer
- ttl:
- type: integer
- type: object
- ipv6Header:
- properties:
- hopLimit:
- type: integer
- nextHeader:
- type: integer
- type: object
- length:
- type: integer
- srcIP:
- type: string
- transportHeader:
- properties:
- icmp:
- properties:
- id:
- type: integer
- sequence:
- type: integer
- type: object
- tcp:
- properties:
- dstPort:
- type: integer
- flags:
- type: integer
- srcPort:
- type: integer
- type: object
- udp:
- properties:
- dstPort:
- type: integer
- srcPort:
- type: integer
- type: object
- type: object
- type: object
- dataplaneTag:
- type: integer
- phase:
- type: string
- reason:
- type: string
- results:
- items:
- properties:
- node:
- type: string
- observations:
- items:
- properties:
- action:
- type: string
- component:
- type: string
- componentInfo:
- type: string
- dstMAC:
- type: string
- networkPolicy:
- type: string
- pod:
- type: string
- translatedDstIP:
- type: string
- translatedSrcIP:
- type: string
- ttl:
- type: integer
- tunnelDstIP:
- type: string
- type: object
- type: array
- role:
- type: string
- timestamp:
- type: integer
- type: object
- type: array
- startTime:
- type: string
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app: antrea
- name: antctl
- namespace: kube-system
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app: antrea
- name: antrea-agent
- namespace: kube-system
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app: antrea
- name: antrea-controller
- namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- name: aggregate-antrea-clustergroups-edit
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clustergroups
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- name: aggregate-antrea-clustergroups-view
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clustergroups
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- name: aggregate-antrea-policies-edit
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies
- - networkpolicies
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- name: aggregate-antrea-policies-view
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies
- - networkpolicies
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- name: aggregate-traceflows-edit
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- name: aggregate-traceflows-view
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antctl
-rules:
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - networkpolicies
- - appliedtogroups
- - addressgroups
- verbs:
- - get
- - list
-- apiGroups:
- - stats.antrea.io
- resources:
- - networkpolicystats
- - antreaclusternetworkpolicystats
- - antreanetworkpolicystats
- verbs:
- - get
- - list
-- apiGroups:
- - system.antrea.io
- resources:
- - controllerinfos
- - agentinfos
- verbs:
- - get
-- apiGroups:
- - system.antrea.io
- resources:
- - supportbundles
- verbs:
- - get
- - post
-- apiGroups:
- - system.antrea.io
- resources:
- - supportbundles/download
- verbs:
- - get
-- nonResourceURLs:
- - /agentinfo
- - /addressgroups
- - /appliedtogroups
- - /loglevel
- - /networkpolicies
- - /ovsflows
- - /ovstracing
- - /podinterfaces
- - /featuregates
- verbs:
- - get
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antrea-agent
-rules:
-- apiGroups:
- - ""
- resources:
- - nodes
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - nodes/status
- verbs:
- - patch
-- apiGroups:
- - ""
- resources:
- - pods
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - pods/status
- verbs:
- - patch
-- apiGroups:
- - ""
- resources:
- - endpoints
- - services
- - namespaces
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - services/status
- verbs:
- - update
-- apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - antreaagentinfos
- verbs:
- - get
- - create
- - update
- - delete
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - networkpolicies
- - appliedtogroups
- - addressgroups
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - egressgroups
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - nodestatssummaries
- verbs:
- - create
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - networkpolicies/status
- verbs:
- - create
- - get
-- apiGroups:
- - authentication.k8s.io
- resources:
- - tokenreviews
- verbs:
- - create
-- apiGroups:
- - authorization.k8s.io
- resources:
- - subjectaccessreviews
- verbs:
- - create
-- apiGroups:
- - ""
- resourceNames:
- - extension-apiserver-authentication
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ""
- resourceNames:
- - antrea-ca
- resources:
- - configmaps
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- - traceflows/status
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - egresses
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - egresses/status
- verbs:
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalippools
- - ippools
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - ippools/status
- verbs:
- - update
-- apiGroups:
- - k8s.cni.cncf.io
- resources:
- - network-attachment-definitions
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antrea-cluster-identity-reader
-rules:
-- apiGroups:
- - ""
- resourceNames:
- - antrea-cluster-identity
- resources:
- - configmaps
- verbs:
- - get
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antrea-controller
-rules:
-- apiGroups:
- - ""
- resources:
- - pods
- - services
- - namespaces
- - configmaps
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - nodes
- verbs:
- - get
- - watch
- - list
- - patch
-- apiGroups:
- - ""
- resources:
- - services/status
- verbs:
- - update
-- apiGroups:
- - networking.k8s.io
- resources:
- - networkpolicies
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - authentication.k8s.io
- resources:
- - tokenreviews
- verbs:
- - create
-- apiGroups:
- - authorization.k8s.io
- resources:
- - subjectaccessreviews
- verbs:
- - create
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - get
- - update
-- apiGroups:
- - ""
- resourceNames:
- - extension-apiserver-authentication
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ""
- resourceNames:
- - antrea-ca
- - antrea-cluster-identity
- resources:
- - configmaps
- verbs:
- - get
- - update
-- apiGroups:
- - ""
- resources:
- - configmaps
- verbs:
- - create
-- apiGroups:
- - apiregistration.k8s.io
- resourceNames:
- - v1alpha1.stats.antrea.io
- - v1beta1.system.antrea.io
- - v1beta2.controlplane.antrea.io
- resources:
- - apiservices
- verbs:
- - get
- - update
-- apiGroups:
- - apiregistration.k8s.io
- resourceNames:
- - v1beta1.networking.antrea.tanzu.vmware.com
- - v1beta1.controlplane.antrea.tanzu.vmware.com
- - v1alpha1.stats.antrea.tanzu.vmware.com
- - v1beta1.system.antrea.tanzu.vmware.com
- - v1beta2.controlplane.antrea.tanzu.vmware.com
- resources:
- - apiservices
- verbs:
- - delete
-- apiGroups:
- - admissionregistration.k8s.io
- resourceNames:
- - labelsmutator.antrea.io
- - crdmutator.antrea.io
- - crdvalidator.antrea.io
- resources:
- - mutatingwebhookconfigurations
- - validatingwebhookconfigurations
- verbs:
- - get
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - antreacontrollerinfos
- verbs:
- - get
- - create
- - update
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - antreaagentinfos
- verbs:
- - list
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies
- - networkpolicies
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies/status
- - networkpolicies/status
- verbs:
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - tiers
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- - traceflows/status
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalentities
- - clustergroups
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - clustergroups/status
- verbs:
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - egresses
- verbs:
- - get
- - watch
- - list
- - update
- - patch
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalippools
- - ippools
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalippools/status
- - ippools/status
- verbs:
- - update
-- apiGroups:
- - apps
- resources:
- - statefulsets
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: antrea
- name: antctl
- namespace: kube-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: antctl
-subjects:
-- kind: ServiceAccount
- name: antctl
- namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: antrea
- name: antrea-agent
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: antrea-agent
-subjects:
-- kind: ServiceAccount
- name: antrea-agent
- namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: antrea
- name: antrea-controller
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: antrea-controller
-subjects:
-- kind: ServiceAccount
- name: antrea-controller
- namespace: kube-system
----
-apiVersion: v1
data:
antrea-agent.conf: |
# FeatureGates is a map of feature names to bools that enable or disable experimental features.
@@ -2790,19 +87,18 @@ data:
# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
- #ovsBridge: br-int
+ ovsBridge: "br-int"
# Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
# - system
# - netdev
# 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
- # OVS in userspace mode (not fully supported yet). Userspace mode requires the tun device driver to
- # be available.
+ # OVS in userspace mode. Userspace mode requires the tun device driver to be available.
#ovsDatapathType: system
# Name of the interface antrea-agent will create and use for host <--> pod communication.
# Make sure it doesn't conflict with your existing interfaces.
- #hostGateway: antrea-gw0
+ hostGateway: "antrea-gw0"
# Determines how traffic is encapsulated. It has the following options:
# encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network
@@ -2814,14 +110,14 @@ data:
# networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod
# IPAM and connectivity to the primary CNI.
#
- trafficEncapMode: noEncap
+ trafficEncapMode: "noEncap"
# Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network.
# This option is for the noEncap traffic mode only, and the default value is false. In the noEncap
# mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to
# the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never
# performs SNAT and this option will be ignored; for other modes it must be set to false.
- #noSNAT: false
+ noSNAT: false
# Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode,
# this option will not take effect. Supported values:
@@ -2830,7 +126,7 @@ data:
# - gre
# - stt
# Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters).
- #tunnelType: geneve
+ tunnelType: "geneve"
# Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode.
# It has the following options:
@@ -2840,7 +136,7 @@ data:
# the PSK value must be passed to Antrea Agent through an environment
# variable: ANTREA_IPSEC_PSK.
# - wireGuard: Enable WireGuard for tunnel traffic encryption.
- #trafficEncryptionMode: none
+ trafficEncryptionMode: "none"
# Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected
# to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are
@@ -2849,35 +145,40 @@ data:
# This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only
# IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`,
# `trafficEncapMode` is `noEncap`, and `noSNAT` is true.
- #enableBridgingMode: false
+ enableBridgingMode: false
# Default MTU to use for the host gateway interface and the network interface of each Pod.
# If omitted, antrea-agent will discover the MTU of the Node's primary interface and
# also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
- #defaultMTU: 0
+ defaultMTU: 0
# wireGuard specifies WireGuard related configurations.
wireGuard:
- # The port for WireGuard to receive traffic.
- # port: 51820
+ # The port for WireGuard to receive traffic.
+ port: 51820
egress:
- # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses.
- # exceptCIDRs: []
+ # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses.
+ exceptCIDRs:
+
+ # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
+ # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
+ # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
+ serviceCIDR: ""
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
# --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
# No default value for this field.
- #serviceCIDRv6:
+ serviceCIDRv6: ""
# The port for the antrea-agent APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-agent` container must be set to the same value.
- #apiPort: 10350
+ apiPort: 10350
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
- #enablePrometheusMetrics: true
+ enablePrometheusMetrics: true
# Provide the IPFIX collector address as a string with format :[][:].
# HOST can either be the DNS name or the IP of the Flow Collector. For example,
@@ -2888,50 +189,50 @@ data:
# If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
# "udp" protocols. "tls" is used for securing communication between flow exporter and
# flow aggregator.
- #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
+ flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
# Provide flow poll interval as a duration string. This determines how often the
# flow exporter dumps connections from the conntrack module. Flow poll interval
# should be greater than or equal to 1s (one second).
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
- #flowPollInterval: "5s"
+ flowPollInterval: "5s"
# Provide the active flow export timeout, which is the timeout after which a flow
# record is sent to the collector for active flows. Thus, for flows with a continuous
# stream of packets, a flow record will be exported to the collector once the elapsed
# time since the last export event is equal to the value of this timeout.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
- #activeFlowExportTimeout: "30s"
+ activeFlowExportTimeout: "5s"
# Provide the idle flow export timeout, which is the timeout after which a flow
# record is sent to the collector for idle flows. A flow is considered idle if no
# packet matching this flow has been observed since the last export event.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
- #idleFlowExportTimeout: "15s"
+ idleFlowExportTimeout: "15s"
nodePortLocal:
# Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
# enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
# gate is also enabled (which is the default).
- # enable: false
+ enable: false
# Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
# from that range will be assigned whenever a Pod's container defines a specific port to be exposed
# (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic
# directed to that port will be forwarded to the Pod.
- # portRange: 61000-62000
+ portRange: "61000-62000"
# Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
# Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
- #kubeAPIServerOverride: ""
+ kubeAPIServerOverride: ""
# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
# https://golang.org/pkg/crypto/tls/#pkg-constants
# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
# prefer TLS1.3 Cipher Suites whenever possible.
- #tlsCipherSuites:
+ tlsCipherSuites: ""
# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
- #tlsMinVersion:
+ tlsMinVersion: ""
# The name of the interface on Node which is used for tunneling or routing the traffic across Nodes.
# If there are multiple IP addresses configured on the interface, the first one is used. The IP
@@ -2940,11 +241,11 @@ data:
# 1. transportInterface
# 2. transportInterfaceCIDRs
# 3. The Node IP
- #transportInterface:
+ transportInterface: ""
# The names of the interfaces on Nodes that are used to forward multicast traffic.
# Defaults to transport interface if not set.
- #multicastInterfaces: []
+ multicastInterfaces:
# The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across
# Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The
@@ -2953,7 +254,7 @@ data:
# 1. transportInterface
# 2. transportInterfaceCIDRs
# 3. The Node IP
- #transportInterfaceCIDRs: [,]
+ transportInterfaceCIDRs:
# Option antreaProxy contains AntreaProxy related configuration options.
antreaProxy:
@@ -2962,22 +263,22 @@ data:
# feature to be enabled.
# Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access
# apiserver directly.
- #proxyAll: false
+ proxyAll: false
# A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks.
# (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses.
# Note that the option is only valid when proxyAll is true.
- #nodePortAddresses: []
+ nodePortAddresses:
# An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these
# Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name
# with Namespace (e.g. kube-system/kube-dns)
- #skipServices: []
+ skipServices:
# When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the
# External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional
# capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the
# external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy.
# Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and
# kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
- #proxyLoadBalancerIPs: true
+ proxyLoadBalancerIPs: true
antrea-cni.conflist: |
{
"cniVersion":"0.3.0",
@@ -2988,11 +289,13 @@ data:
"ipam": {
"type": "host-local"
}
- },
+ }
+ ,
{
"type": "portmap",
"capabilities": {"portMappings": true}
- },
+ }
+ ,
{
"type": "bandwidth",
"capabilities": {"bandwidth": true}
@@ -3030,659 +333,3317 @@ data:
# The port for the antrea-controller APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-controller` container must be set to the same value.
- #apiPort: 10349
+ apiPort: 10349
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
- #enablePrometheusMetrics: true
+ enablePrometheusMetrics: true
# Indicates whether to use auto-generated self-signed TLS certificate.
- # If false, A Secret named "antrea-controller-tls" must be provided with the following keys:
+ # If false, a Secret named "antrea-controller-tls" must be provided with the following keys:
# ca.crt:
# tls.crt:
# tls.key:
- # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
- # antrea-controller container.
- #selfSignedCert: true
+ selfSignedCert: true
# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
# https://golang.org/pkg/crypto/tls/#pkg-constants
# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
# prefer TLS1.3 Cipher Suites whenever possible.
- #tlsCipherSuites:
+ tlsCipherSuites: ""
# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
- #tlsMinVersion:
+ tlsMinVersion: ""
nodeIPAM:
- # Enable the integrated Node IPAM controller within the Antrea controller.
- # enableNodeIPAM: false
-
- # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges.
- # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family.
- # Value ignored when enableNodeIPAM is false.
- # clusterCIDRs: []
-
- # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs.
- # Value ignored when enableNodeIPAM is false.
- # serviceCIDR:
- # serviceCIDRv6:
-
- # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false
- # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30.
- # nodeCIDRMaskSizeIPv4: 24
-
- # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
- # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
- # nodeCIDRMaskSizeIPv6: 64
-kind: ConfigMap
+ # Enable the integrated Node IPAM controller within the Antrea controller.
+ enableNodeIPAM: false
+ # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges.
+ # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family.
+ # Value ignored when enableNodeIPAM is false.
+ clusterCIDRs:
+ # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs.
+ # Value ignored when enableNodeIPAM is false.
+ serviceCIDR: ""
+ serviceCIDRv6: ""
+ # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false
+ # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30.
+ nodeCIDRMaskSizeIPv4: 24
+ # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
+ # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
+ nodeCIDRMaskSizeIPv6: 64
+---
+# Source: antrea/templates/crds/antreaagentinfo.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: antreaagentinfos.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ additionalPrinterColumns:
+ - description: Health status of this Agent
+ jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status"
+ name: Healthy
+ type: string
+ - description: Last time the Healthy Condition was updated
+ jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime"
+ name: Last Heartbeat
+ type: date
+ - description: Version of this Agent
+ jsonPath: ".version"
+ name: Version
+ type: string
+ priority: 1
+ - description: Node on which this Agent is running
+ jsonPath: ".nodeRef.name"
+ name: Node
+ type: string
+ priority: 1
+ - description: Number of local Pods managed by this Agent
+ jsonPath: ".localPodNum"
+ name: Num Pods
+ type: integer
+ priority: 2
+ - description: Subnets used by this Agent for Pod IPAM
+ jsonPath: ".nodeSubnets"
+ name: Subnets
+ type: string
+ priority: 2
+ scope: Cluster
+ names:
+ plural: antreaagentinfos
+ singular: antreaagentinfo
+ kind: AntreaAgentInfo
+ shortNames:
+ - aai
+---
+# Source: antrea/templates/crds/antreacontrollerinfo.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: antreacontrollerinfos.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ additionalPrinterColumns:
+ - description: Health status of the Controller
+ jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status"
+ name: Healthy
+ type: string
+ - description: Last time the Healthy Condition was updated
+ jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime"
+ name: Last Heartbeat
+ type: date
+ - description: Version of the Controller
+ jsonPath: ".version"
+ name: Version
+ type: string
+ priority: 1
+ - description: Number of Agents connected to the Controller
+ jsonPath: ".connectedAgentNum"
+ name: Connected Agents
+ type: integer
+ priority: 1
+ - description: Node on which the Controller is running
+ jsonPath: ".nodeRef.name"
+ name: Node
+ type: string
+ priority: 1
+ - description: Number of Network Policies computed by Controller
+ jsonPath: ".networkPolicyControllerInfo.networkPolicyNum"
+ name: Num Network Policies
+ type: integer
+ priority: 2
+ scope: Cluster
+ names:
+ plural: antreacontrollerinfos
+ singular: antreacontrollerinfo
+ kind: AntreaControllerInfo
+ shortNames:
+ - aci
+---
+# Source: antrea/templates/crds/clustergroup.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: clustergroups.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: false
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ type: object
+ properties:
+ childGroups:
+ type: array
+ items:
+ type: string
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ ipBlocks:
+ type: array
+ items:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ serviceReference:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ status:
+ type: object
+ properties:
+ conditions:
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ type: string
+ status:
+ type: string
+ lastTransitionTime:
+ type: string
+ - name: v1alpha3
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ type: object
+ properties:
+ childGroups:
+ type: array
+ items:
+ type: string
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlocks:
+ type: array
+ items:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ serviceReference:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ status:
+ type: object
+ properties:
+ conditions:
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ type: string
+ status:
+ type: string
+ lastTransitionTime:
+ type: string
+ subresources:
+ status: {}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions: ["v1", "v1beta1"]
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: "kube-system"
+ path: "/convert/clustergroup"
+ scope: Cluster
+ names:
+ plural: clustergroups
+ singular: clustergroup
+ kind: ClusterGroup
+ shortNames:
+ - cg
+---
+# Source: antrea/templates/crds/clusternetworkpolicy.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: clusternetworkpolicies.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - name: Tier
+ type: string
+ description: The Tier to which this ClusterNetworkPolicy belongs to.
+ jsonPath: .spec.tier
+ - name: Priority
+ type: number
+ format: float
+ description: The Priority of this ClusterNetworkPolicy relative to other policies.
+ jsonPath: .spec.priority
+ - name: Desired Nodes
+ type: number
+ format: int32
+ description: The total number of Nodes that should realize the NetworkPolicy.
+ jsonPath: .status.desiredNodesRealized
+ - name: Current Nodes
+ type: number
+ format: int32
+ description: The number of Nodes that have realized the NetworkPolicy.
+ jsonPath: .status.currentNodesRealized
+ - name: Age
+ type: date
+ jsonPath: .metadata.creationTimestamp
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ # Ensure that Spec.Priority field is set
+ required:
+ - priority
+ type: object
+ properties:
+ tier:
+ type: string
+ priority:
+ type: number
+ format: float
+ # Ensure that Spec.Priority field is between 1 and 10000
+ minimum: 1.0
+ maximum: 10000.0
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that Spec.AppliedTo does not allow IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ ingress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ from:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaces:
+ type: object
+ properties:
+ match:
+ enum:
+ - Self
+ type: string
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ egress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ to:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaces:
+ type: object
+ properties:
+ match:
+ type: string
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ group:
+ type: string
+ fqdn:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ toServices:
+ type: array
+ items:
+ type: object
+ required:
+ - name
+ - namespace
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ status:
+ type: object
+ properties:
+ phase:
+ type: string
+ observedGeneration:
+ type: integer
+ currentNodesRealized:
+ type: integer
+ desiredNodesRealized:
+ type: integer
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: clusternetworkpolicies
+ singular: clusternetworkpolicy
+ kind: ClusterNetworkPolicy
+ shortNames:
+ - acnp
+---
+# Source: antrea/templates/crds/egress.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: egresses.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ type: object
+ required:
+ - appliedTo
+ anyOf:
+ - required:
+ - egressIP
+ - required:
+ - externalIPPool
+ properties:
+ appliedTo:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ egressIP:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ externalIPPool:
+ type: string
+ status:
+ type: object
+ properties:
+ egressNode:
+ type: string
+ additionalPrinterColumns:
+ - description: Specifies the SNAT IP address for the selected workloads.
+ jsonPath: .spec.egressIP
+ name: EgressIP
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: The Owner Node of egress IP
+ jsonPath: .status.egressNode
+ name: Node
+ type: string
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: egresses
+ singular: egress
+ kind: Egress
+ shortNames:
+ - eg
+---
+# Source: antrea/templates/crds/externalentity.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: externalentities.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ type: object
+ properties:
+ endpoints:
+ type: array
+ items:
+ type: object
+ properties:
+ ip:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ name:
+ type: string
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ name:
+ type: string
+ externalNode:
+ type: string
+ - name: v1alpha1
+ served: false
+ storage: false
+ schema:
+ openAPIV3Schema:
+ type: object
+ scope: Namespaced
+ names:
+ plural: externalentities
+ singular: externalentity
+ kind: ExternalEntity
+ shortNames:
+ - ee
+---
+# Source: antrea/templates/crds/externalippool.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: externalippools.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ type: object
+ required:
+ - ipRanges
+ - nodeSelector
+ properties:
+ ipRanges:
+ type: array
+ items:
+ type: object
+ oneOf:
+ - required:
+ - cidr
+ - required:
+ - start
+ - end
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ start:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ end:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ status:
+ type: object
+ properties:
+ usage:
+ type: object
+ properties:
+ total:
+ type: integer
+ used:
+ type: integer
+ additionalPrinterColumns:
+ - description: The number of total IPs
+ jsonPath: .status.usage.total
+ name: Total
+ type: integer
+ - description: The number of allocated IPs
+ jsonPath: .status.usage.used
+ name: Used
+ type: integer
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: externalippools
+ singular: externalippool
+ kind: ExternalIPPool
+ shortNames:
+ - eip
+---
+# Source: antrea/templates/crds/ippool.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: ippools.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ required:
+ - ipVersion
+ - ipRanges
+ type: object
+ properties:
+ ipVersion:
+ type: integer
+ ipRanges:
+ items:
+ oneOf:
+ - required:
+ - cidr
+ - gateway
+ - prefixLength
+ - required:
+ - start
+ - end
+ - gateway
+ - prefixLength
+ properties:
+ cidr:
+ format: cidr
+ type: string
+ start:
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ type: string
+ end:
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ type: string
+ gateway:
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ type: string
+ prefixLength:
+ type: integer
+ vlan:
+ type: integer
+ minimum: 0
+ maximum: 4094
+ type: object
+ type: array
+ status:
+ properties:
+ ipAddresses:
+ items:
+ properties:
+ ipAddress:
+ type: string
+ owner:
+ properties:
+ pod:
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ containerID:
+ type: string
+ ifName:
+ type: string
+ type: object
+ statefulSet:
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ index:
+ type: integer
+ type: object
+ type: object
+ phase:
+ type: string
+ type: object
+ type: array
+ type: object
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: ippools
+ singular: ippool
+ kind: IPPool
+ shortNames:
+ - ipp
+---
+# Source: antrea/templates/crds/networkpolicy.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: networkpolicies.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - name: Tier
+ type: string
+ description: The Tier to which this Antrea NetworkPolicy belongs to.
+ jsonPath: .spec.tier
+ - name: Priority
+ type: number
+ format: float
+ description: The Priority of this Antrea NetworkPolicy relative to other policies.
+ jsonPath: .spec.priority
+ - name: Desired Nodes
+ type: number
+ format: int32
+ description: The total number of Nodes that should realize the NetworkPolicy.
+ jsonPath: .status.desiredNodesRealized
+ - name: Current Nodes
+ type: number
+ format: int32
+ description: The number of Nodes that have realized the NetworkPolicy.
+ jsonPath: .status.currentNodesRealized
+ - name: Age
+ type: date
+ jsonPath: .metadata.creationTimestamp
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ # Ensure that Spec.Priority field is set
+ required:
+ - priority
+ type: object
+ properties:
+ tier:
+ type: string
+ priority:
+ type: number
+ format: float
+ # Ensure that Spec.Priority field is between 1 and 10000
+ minimum: 1.0
+ maximum: 10000.0
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ingress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ from:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ egress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ to:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ fqdn:
+ type: string
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ toServices:
+ type: array
+ items:
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ status:
+ type: object
+ properties:
+ phase:
+ type: string
+ observedGeneration:
+ type: integer
+ currentNodesRealized:
+ type: integer
+ desiredNodesRealized:
+ type: integer
+ subresources:
+ status: {}
+ scope: Namespaced
+ names:
+ plural: networkpolicies
+ singular: networkpolicy
+ kind: NetworkPolicy
+ shortNames:
+ - anp
+---
+# Source: antrea/templates/crds/tier.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: tiers.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - name: Priority
+ type: integer
+ description: The Priority of this Tier relative to other Tiers.
+ jsonPath: .spec.priority
+ - name: Age
+ type: date
+ jsonPath: .metadata.creationTimestamp
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ required:
+ - priority
+ type: object
+ properties:
+ priority:
+ type: integer
+ minimum: 0
+ maximum: 255
+ description:
+ type: string
+ scope: Cluster
+ names:
+ plural: tiers
+ singular: tier
+ kind: Tier
+ shortNames:
+ - tr
+---
+# Source: antrea/templates/crds/traceflow.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: traceflows.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - jsonPath: .status.phase
+ description: The phase of the Traceflow.
+ name: Phase
+ type: string
+ - jsonPath: .spec.source.pod
+ description: The name of the source Pod.
+ name: Source-Pod
+ type: string
+ priority: 10
+ - jsonPath: .spec.destination.pod
+ description: The name of the destination Pod.
+ name: Destination-Pod
+ type: string
+ priority: 10
+ - jsonPath: .spec.destination.ip
+ description: The IP address of the destination.
+ name: Destination-IP
+ type: string
+ priority: 10
+ - jsonPath: .spec.liveTraffic
+ description: Trace live traffic.
+ name: Live-Traffic
+ type: boolean
+ priority: 10
+ - jsonPath: .spec.droppedOnly
+ description: Capture only the dropped packet.
+ name: Dropped-Only
+ type: boolean
+ priority: 10
+ - jsonPath: .spec.timeout
+ description: Timeout in seconds.
+ name: Timeout
+ type: integer
+ priority: 10
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ type: object
+ properties:
+ source:
+ type: object
+ properties:
+ pod:
+ type: string
+ namespace:
+ type: string
+ ip:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ destination:
+ type: object
+ properties:
+ pod:
+ type: string
+ service:
+ type: string
+ namespace:
+ type: string
+ ip:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ packet:
+ type: object
+ properties:
+ ipHeader:
+ type: object
+ properties:
+ srcIP:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ protocol:
+ type: integer
+ ttl:
+ type: integer
+ flags:
+ type: integer
+ ipv6Header:
+ type: object
+ properties:
+ srcIP:
+ type: string
+ format: ipv6
+ nextHeader:
+ type: integer
+ hopLimit:
+ type: integer
+ transportHeader:
+ type: object
+ properties:
+ icmp:
+ type: object
+ properties:
+ id:
+ type: integer
+ sequence:
+ type: integer
+ udp:
+ type: object
+ properties:
+ srcPort:
+ type: integer
+ dstPort:
+ type: integer
+ tcp:
+ type: object
+ properties:
+ srcPort:
+ type: integer
+ dstPort:
+ type: integer
+ flags:
+ type: integer
+ liveTraffic:
+ type: boolean
+ droppedOnly:
+ type: boolean
+ timeout:
+ type: integer
+ status:
+ type: object
+ properties:
+ reason:
+ type: string
+ dataplaneTag:
+ type: integer
+ phase:
+ type: string
+ startTime:
+ type: string
+ results:
+ type: array
+ items:
+ type: object
+ properties:
+ node:
+ type: string
+ role:
+ type: string
+ timestamp:
+ type: integer
+ observations:
+ type: array
+ items:
+ type: object
+ properties:
+ component:
+ type: string
+ componentInfo:
+ type: string
+ action:
+ type: string
+ pod:
+ type: string
+ dstMAC:
+ type: string
+ networkPolicy:
+ type: string
+ ttl:
+ type: integer
+ translatedSrcIP:
+ type: string
+ translatedDstIP:
+ type: string
+ tunnelDstIP:
+ type: string
+ capturedPacket:
+ properties:
+ srcIP:
+ type: string
+ dstIP:
+ type: string
+ length:
+ type: integer
+ ipHeader:
+ properties:
+ flags:
+ type: integer
+ protocol:
+ type: integer
+ ttl:
+ type: integer
+ type: object
+ ipv6Header:
+ properties:
+ hopLimit:
+ type: integer
+ nextHeader:
+ type: integer
+ type: object
+ transportHeader:
+ properties:
+ tcp:
+ properties:
+ dstPort:
+ type: integer
+ srcPort:
+ type: integer
+ flags:
+ type: integer
+ type: object
+ udp:
+ properties:
+ dstPort:
+ type: integer
+ srcPort:
+ type: integer
+ type: object
+ icmp:
+ properties:
+ id:
+ type: integer
+ sequence:
+ type: integer
+ type: object
+ type: object
+ type: object
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: traceflows
+ singular: traceflow
+ kind: Traceflow
+ shortNames:
+ - tf
+---
+# Source: antrea/templates/agent/clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-agent
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - nodes/status
+ verbs:
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - pods/status
+ verbs:
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - endpoints
+ - services
+ - namespaces
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - services/status
+ verbs:
+ - update
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - antreaagentinfos
+ verbs:
+ - get
+ - create
+ - update
+ - delete
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - networkpolicies
+ - appliedtogroups
+ - addressgroups
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - egressgroups
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - nodestatssummaries
+ verbs:
+ - create
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - networkpolicies/status
+ verbs:
+ - create
+ - get
+ - apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+ - apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+ # This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
+ # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will
+ # have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
+ # See https://github.com/kubernetes/kubernetes/pull/85375
+ # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
+ # the extension-apiserver-authentication role.
+ - apiGroups:
+ - ""
+ resourceNames:
+ - extension-apiserver-authentication
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ resourceNames:
+ - antrea-ca
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - traceflows
+ - traceflows/status
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - egresses
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - egresses/status
+ verbs:
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalippools
+ - ippools
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - ippools/status
+ verbs:
+ - update
+ - apiGroups:
+ - k8s.cni.cncf.io
+ resources:
+ - network-attachment-definitions
+ verbs:
+ - get
+ - list
+ - watch
+---
+# Source: antrea/templates/antctl/clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antctl
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - networkpolicies
+ - appliedtogroups
+ - addressgroups
+ verbs:
+ - get
+ - list
+ - apiGroups:
+ - stats.antrea.io
+ resources:
+ - networkpolicystats
+ - antreaclusternetworkpolicystats
+ - antreanetworkpolicystats
+ verbs:
+ - get
+ - list
+ - apiGroups:
+ - system.antrea.io
+ resources:
+ - controllerinfos
+ - agentinfos
+ verbs:
+ - get
+ - apiGroups:
+ - system.antrea.io
+ resources:
+ - supportbundles
+ verbs:
+ - get
+ - post
+ - apiGroups:
+ - system.antrea.io
+ resources:
+ - supportbundles/download
+ verbs:
+ - get
+ - nonResourceURLs:
+ - /agentinfo
+ - /addressgroups
+ - /appliedtogroups
+ - /loglevel
+ - /networkpolicies
+ - /ovsflows
+ - /ovstracing
+ - /podinterfaces
+ - /featuregates
+ verbs:
+ - get
+---
+# Source: antrea/templates/cluster-identity-reader/clusterrolebinding.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-cluster-identity-reader
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ resourceNames:
+ - antrea-cluster-identity
+ verbs:
+ - get
+---
+# Source: antrea/templates/controller/clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-controller
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - services
+ - namespaces
+ - configmaps
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - watch
+ - list
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - services/status
+ verbs:
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - networkpolicies
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+ - apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - get
+ - update
+ # This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
+ # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-controller) will
+ # have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
+ # See https://github.com/kubernetes/kubernetes/pull/85375
+ # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
+ # the extension-apiserver-authentication role.
+ - apiGroups:
+ - ""
+ resourceNames:
+ - extension-apiserver-authentication
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ resourceNames:
+ - antrea-ca
+ - antrea-cluster-identity
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - apiregistration.k8s.io
+ resources:
+ - apiservices
+ resourceNames:
+ - v1alpha1.stats.antrea.io
+ - v1beta1.system.antrea.io
+ - v1beta2.controlplane.antrea.io
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - apiregistration.k8s.io
+ resources:
+ - apiservices
+ resourceNames:
+ - v1beta1.networking.antrea.tanzu.vmware.com
+ - v1beta1.controlplane.antrea.tanzu.vmware.com
+ - v1alpha1.stats.antrea.tanzu.vmware.com
+ - v1beta1.system.antrea.tanzu.vmware.com
+ - v1beta2.controlplane.antrea.tanzu.vmware.com
+ verbs:
+ - delete
+ - apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - mutatingwebhookconfigurations
+ - validatingwebhookconfigurations
+ resourceNames:
+ # always give permissions for labelsmutator.antrea.io, even when the
+ # feature is disabled, to avoid errors in antrea-controller when updating
+ # the CA cert.
+ - labelsmutator.antrea.io
+ - crdmutator.antrea.io
+ - crdvalidator.antrea.io
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - antreacontrollerinfos
+ verbs:
+ - get
+ - create
+ - update
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - antreaagentinfos
+ verbs:
+ - list
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - clusternetworkpolicies
+ - networkpolicies
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - clusternetworkpolicies/status
+ - networkpolicies/status
+ verbs:
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - tiers
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - traceflows
+ - traceflows/status
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalentities
+ - clustergroups
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - clustergroups/status
+ verbs:
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - egresses
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalippools
+ - ippools
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalippools/status
+ - ippools/status
+ verbs:
+ - update
+ - apiGroups:
+ - apps
+ resources:
+ - statefulsets
+ verbs:
+ - get
+ - list
+ - watch
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
metadata:
+ name: aggregate-antrea-policies-edit
labels:
app: antrea
- name: antrea-config-2c8t9465tc
- namespace: kube-system
+ # Add these permissions to the "admin" and "edit" default roles.
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clusternetworkpolicies", "networkpolicies"]
+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
-apiVersion: v1
-kind: Service
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: aggregate-antrea-policies-view
+ labels:
+ app: antrea
+ # Add these permissions to the "view" default role.
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clusternetworkpolicies", "networkpolicies"]
+ verbs: ["get", "list", "watch"]
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: aggregate-traceflows-edit
+ labels:
+ app: antrea
+ # Add these permissions to the "admin" and "edit" default roles.
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["traceflows"]
+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
+ name: aggregate-traceflows-view
+ labels:
+ app: antrea
+ # Add these permissions to the "view" default role.
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["traceflows"]
+ verbs: ["get", "list", "watch"]
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: aggregate-antrea-clustergroups-edit
+ labels:
+ app: antrea
+ # Add these permissions to the "admin" and "edit" default roles.
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clustergroups"]
+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: aggregate-antrea-clustergroups-view
+ labels:
+ app: antrea
+ # Add these permissions to the "view" default role.
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clustergroups"]
+ verbs: ["get", "list", "watch"]
+---
+# Source: antrea/templates/agent/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-agent
+ labels:
+ app: antrea
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: antrea-agent
+subjects:
+ - kind: ServiceAccount
+ name: antrea-agent
+ namespace: kube-system
+---
+# Source: antrea/templates/antctl/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app: antrea
+ name: antctl
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: antctl
+subjects:
+ - kind: ServiceAccount
+ name: antctl
+ namespace: kube-system
+---
+# Source: antrea/templates/controller/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-controller
labels:
app: antrea
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: antrea-controller
+subjects:
+ - kind: ServiceAccount
+ name: antrea-controller
+ namespace: kube-system
+---
+# Source: antrea/templates/controller/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
name: antrea
namespace: kube-system
+ labels:
+ app: antrea
spec:
ports:
- - port: 443
- protocol: TCP
- targetPort: api
+ - port: 443
+ protocol: TCP
+ targetPort: api
selector:
app: antrea
component: antrea-controller
---
+# Source: antrea/templates/agent/daemonset.yaml
apiVersion: apps/v1
-kind: Deployment
+kind: DaemonSet
metadata:
+ name: antrea-agent
+ namespace: kube-system
labels:
app: antrea
- component: antrea-controller
+ component: antrea-agent
+spec:
+ selector:
+ matchLabels:
+ app: antrea
+ component: antrea-agent
+ updateStrategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ annotations:
+ # Starting with v1.21, Kubernetes supports default container annotation.
+ # Using "kubectl logs/exec/attach/cp" doesn't have to specify "-c antrea-agent" when troubleshooting.
+ kubectl.kubernetes.io/default-container: antrea-agent
+ # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
+ # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
+ checksum/config: 5cde7917b9224b515967d437777f2243699069b38d5c4811766993426fd138bd
+ labels:
+ app: antrea
+ component: antrea-agent
+ spec:
+ hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
+ priorityClassName: system-node-critical
+ nodeSelector:
+ kubernetes.io/os: linux
+ tolerations:
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoSchedule
+ operator: Exists
+ - effect: NoExecute
+ operator: Exists
+ serviceAccountName: antrea-agent
+ initContainers:
+ - name: install-cni
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 100m
+ command: ["install_cni"]
+ securityContext:
+ capabilities:
+ add:
+ # SYS_MODULE is required to load the OVS kernel module.
+ - SYS_MODULE
+ env:
+ # SKIP_CNI_BINARIES takes in values as a comma separated list of
+ # binaries that need to be skipped for installation, e.g. "portmap, bandwidth".
+ - name: SKIP_CNI_BINARIES
+ value: ""
+ volumeMounts:
+ - name: antrea-config
+ mountPath: /etc/antrea/antrea-cni.conflist
+ subPath: antrea-cni.conflist
+ readOnly: true
+ - name: host-cni-conf
+ mountPath: /host/etc/cni/net.d
+ - name: host-cni-bin
+ mountPath: /host/opt/cni/bin
+ # For loading the OVS kernel module.
+ - name: host-lib-modules
+ mountPath: /lib/modules
+ readOnly: true
+ # For changing the default permissions of the run directory.
+ - name: host-var-run-antrea
+ mountPath: /var/run/antrea
+ containers:
+ - name: antrea-agent
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ command: ["antrea-agent"]
+ # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).-
+ args:
+ - "--config=/etc/antrea/antrea-agent.conf"
+ - "--logtostderr=false"
+ - "--log_dir=/var/log/antrea"
+ - "--alsologtostderr"
+ - "--log_file_max_size=100"
+ - "--log_file_max_num=4"
+ env:
+ # Provide pod and node information for clusterinformation CRD.
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ resources:
+ requests:
+ cpu: 200m
+ ports:
+ - containerPort: 10350
+ name: api
+ protocol: TCP
+ livenessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - container_liveness_probe agent
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ failureThreshold: 5
+ readinessProbe:
+ httpGet:
+ host: localhost
+ path: /readyz
+ port: api
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ # In large-scale clusters, it may take up to 40~50 seconds for the antrea-agent to reconnect to the antrea
+ # Service after the antrea-controller restarts. The antrea-agent shouldn't be reported as NotReady in this
+ # scenario, otherwise the DaemonSet controller would restart all agents at once, as opposed to performing a
+ # rolling update. Set failureThreshold to 8 so it can tolerate 70s of disconnection.
+ failureThreshold: 8
+ securityContext:
+ # antrea-agent needs to perform sysctl configuration.
+ privileged: true
+ volumeMounts:
+ - name: antrea-config
+ mountPath: /etc/antrea/antrea-agent.conf
+ subPath: antrea-agent.conf
+ readOnly: true
+ - name: host-var-run-antrea
+ mountPath: /var/run/antrea
+ - name: host-var-run-antrea
+ mountPath: /var/run/openvswitch
+ subPath: openvswitch
+ # host-local IPAM stores allocated IP addresses as files in /var/lib/cni/networks/$NETWORK_NAME.
+ # Mount a sub-directory of host-var-run-antrea to it for persistence of IP allocation.
+ - name: host-var-run-antrea
+ mountPath: /var/lib/cni
+ subPath: cni
+ # We need to mount both the /proc directory and the /var/run/netns directory so that
+ # antrea-agent can open the network namespace path when setting up Pod
+ # networking. Different container runtimes may use /proc or /var/run/netns when invoking
+ # the CNI commands. Docker uses /proc and containerd uses /var/run/netns.
+ - name: host-var-log-antrea
+ mountPath: /var/log/antrea
+ - name: host-proc
+ mountPath: /host/proc
+ readOnly: true
+ - name: host-var-run-netns
+ mountPath: /host/var/run/netns
+ readOnly: true
+ # When a container is created, a mount point for the network namespace is added under
+ # /var/run/netns on the host, which needs to be propagated to the antrea-agent container.
+ mountPropagation: HostToContainer
+ - name: xtables-lock
+ mountPath: /run/xtables.lock
+ - name: antrea-ovs
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 200m
+ command: ["start_ovs"]
+ args:
+ - "--log_file_max_size=100"
+ - "--log_file_max_num=4"
+ securityContext:
+ # capabilities required by OVS daemons
+ capabilities:
+ add:
+ - SYS_NICE
+ - NET_ADMIN
+ - SYS_ADMIN
+ - IPC_LOCK
+ livenessProbe:
+ exec:
+ # docker CRI doesn't honor timeoutSeconds, add "timeout" to the command as a workaround.
+ # https://github.com/kubernetes/kubernetes/issues/51901
+ command:
+ - /bin/sh
+ - -c
+ - timeout 10 container_liveness_probe ovs
+ initialDelaySeconds: 5
+ timeoutSeconds: 10
+ periodSeconds: 10
+ failureThreshold: 5
+ volumeMounts:
+ - name: host-var-run-antrea
+ mountPath: /var/run/openvswitch
+ subPath: openvswitch
+ - name: host-var-log-antrea
+ mountPath: /var/log/openvswitch
+ subPath: openvswitch
+ volumes:
+ - name: antrea-config
+ configMap:
+ name: antrea-config
+ - name: host-cni-conf
+ hostPath:
+ path: /etc/cni/net.d
+ - name: host-cni-bin
+ hostPath:
+ path: /home/kubernetes/bin
+ - name: host-proc
+ hostPath:
+ path: /proc
+ - name: host-var-run-netns
+ hostPath:
+ path: /var/run/netns
+ - name: host-var-run-antrea
+ hostPath:
+ path: /var/run/antrea
+ # we use subPath to create run subdirectories for different component (e.g. OVS) and
+ # subPath requires the base volume to exist
+ type: DirectoryOrCreate
+ - name: host-var-log-antrea
+ hostPath:
+ path: /var/log/antrea
+ # we use subPath to create logging subdirectories for different component (e.g. OVS)
+ type: DirectoryOrCreate
+ - name: host-lib-modules
+ hostPath:
+ path: /lib/modules
+ - name: xtables-lock
+ hostPath:
+ path: /run/xtables.lock
+ type: FileOrCreate
+---
+# Source: antrea/templates/controller/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
name: antrea-controller
namespace: kube-system
+ labels:
+ app: antrea
+ component: antrea-controller
spec:
- replicas: 1
+ strategy:
+ # Ensure the existing Pod is stopped before the new one is created.
+ type: Recreate
selector:
matchLabels:
app: antrea
component: antrea-controller
- strategy:
- type: Recreate
+ replicas: 1
template:
metadata:
+ annotations:
+ # Automatically restart Pod if the ConfigMap changes
+ # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
+ checksum/config: 5cde7917b9224b515967d437777f2243699069b38d5c4811766993426fd138bd
labels:
app: antrea
component: antrea-controller
spec:
- containers:
- - args:
- - --config
- - /etc/antrea/antrea-controller.conf
- - --logtostderr=false
- - --log_dir=/var/log/antrea
- - --alsologtostderr
- - --log_file_max_size=100
- - --log_file_max_num=4
- - --v=0
- command:
- - antrea-controller
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: SERVICEACCOUNT_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.serviceAccountName
- - name: ANTREA_CONFIG_MAP_NAME
- value: antrea-config-2c8t9465tc
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- livenessProbe:
- failureThreshold: 5
- httpGet:
- host: localhost
- path: /livez
- port: api
- scheme: HTTPS
- periodSeconds: 10
- timeoutSeconds: 5
- name: antrea-controller
- ports:
- - containerPort: 10349
- name: api
- protocol: TCP
- readinessProbe:
- failureThreshold: 5
- httpGet:
- host: localhost
- path: /readyz
- port: api
- scheme: HTTPS
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 5
- resources:
- requests:
- cpu: 200m
- volumeMounts:
- - mountPath: /etc/antrea/antrea-controller.conf
- name: antrea-config
- readOnly: true
- subPath: antrea-controller.conf
- - mountPath: /var/run/antrea/antrea-controller-tls
- name: antrea-controller-tls
- - mountPath: /var/log/antrea
- name: host-var-log-antrea
- hostNetwork: true
nodeSelector:
kubernetes.io/os: linux
+ hostNetwork: true
priorityClassName: system-cluster-critical
- serviceAccountName: antrea-controller
tolerations:
- - key: CriticalAddonsOnly
- operator: Exists
- - effect: NoSchedule
- key: node-role.kubernetes.io/master
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/master
+ serviceAccountName: antrea-controller
+ containers:
+ - name: antrea-controller
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 200m
+ command: ["antrea-controller"]
+ # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).
+ args:
+ - "--config=/etc/antrea/antrea-controller.conf"
+ - "--logtostderr=false"
+ - "--log_dir=/var/log/antrea"
+ - "--alsologtostderr"
+ - "--log_file_max_size=100"
+ - "--log_file_max_num=4"
+ env:
+ # Provide pod and node information for clusterinformation CRD.
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ # Provide ServiceAccount name for validation webhook.
+ - name: SERVICEACCOUNT_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: ANTREA_CONFIG_MAP_NAME
+ value: antrea-config
+ ports:
+ - containerPort: 10349
+ name: api
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ host: localhost
+ path: /readyz
+ port: api
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ failureThreshold: 5
+ livenessProbe:
+ httpGet:
+ host: localhost
+ path: /livez
+ port: api
+ scheme: HTTPS
+ timeoutSeconds: 5
+ periodSeconds: 10
+ failureThreshold: 5
+ volumeMounts:
+ - name: antrea-config
+ mountPath: /etc/antrea/antrea-controller.conf
+ subPath: antrea-controller.conf
+ readOnly: true
+ - name: antrea-controller-tls
+ mountPath: /var/run/antrea/antrea-controller-tls
+ - name: host-var-log-antrea
+ mountPath: /var/log/antrea
volumes:
- - configMap:
- name: antrea-config-2c8t9465tc
- name: antrea-config
- - name: antrea-controller-tls
- secret:
- defaultMode: 256
- optional: true
- secretName: antrea-controller-tls
- - hostPath:
- path: /var/log/antrea
- type: DirectoryOrCreate
- name: host-var-log-antrea
+ - name: antrea-config
+ configMap:
+ name: antrea-config
+ # Make it optional as we only read it when selfSignedCert=false.
+ - name: antrea-controller-tls
+ secret:
+ secretName: antrea-controller-tls
+ defaultMode: 0400
+ optional: true
+ - name: host-var-log-antrea
+ hostPath:
+ path: /var/log/antrea
+ type: DirectoryOrCreate
---
+# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
+ name: v1beta2.controlplane.antrea.io
labels:
app: antrea
- name: v1alpha1.stats.antrea.io
spec:
- group: stats.antrea.io
+ group: controlplane.antrea.io
groupPriorityMinimum: 100
+ version: v1beta2
+ versionPriority: 100
service:
name: antrea
namespace: kube-system
- version: v1alpha1
- versionPriority: 100
---
+# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
+ name: v1beta1.system.antrea.io
labels:
app: antrea
- name: v1beta1.system.antrea.io
spec:
group: system.antrea.io
groupPriorityMinimum: 100
+ version: v1beta1
+ versionPriority: 100
service:
name: antrea
namespace: kube-system
- version: v1beta1
- versionPriority: 100
---
+# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
+ name: v1alpha1.stats.antrea.io
labels:
app: antrea
- name: v1beta2.controlplane.antrea.io
spec:
- group: controlplane.antrea.io
+ group: stats.antrea.io
groupPriorityMinimum: 100
+ version: v1alpha1
+ versionPriority: 100
service:
name: antrea
namespace: kube-system
- version: v1beta2
- versionPriority: 100
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- labels:
- app: antrea
- component: antrea-agent
- name: antrea-agent
- namespace: kube-system
-spec:
- selector:
- matchLabels:
- app: antrea
- component: antrea-agent
- template:
- metadata:
- annotations:
- kubectl.kubernetes.io/default-container: antrea-agent
- labels:
- app: antrea
- component: antrea-agent
- spec:
- containers:
- - args:
- - --config
- - /etc/antrea/antrea-agent.conf
- - --logtostderr=false
- - --log_dir=/var/log/antrea
- - --alsologtostderr
- - --log_file_max_size=100
- - --log_file_max_num=4
- - --v=0
- command:
- - antrea-agent
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- livenessProbe:
- exec:
- command:
- - /bin/sh
- - -c
- - container_liveness_probe agent
- failureThreshold: 5
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 5
- name: antrea-agent
- ports:
- - containerPort: 10350
- name: api
- protocol: TCP
- readinessProbe:
- failureThreshold: 8
- httpGet:
- host: localhost
- path: /readyz
- port: api
- scheme: HTTPS
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 5
- resources:
- requests:
- cpu: 200m
- securityContext:
- privileged: true
- volumeMounts:
- - mountPath: /etc/antrea/antrea-agent.conf
- name: antrea-config
- readOnly: true
- subPath: antrea-agent.conf
- - mountPath: /var/run/antrea
- name: host-var-run-antrea
- - mountPath: /var/run/openvswitch
- name: host-var-run-antrea
- subPath: openvswitch
- - mountPath: /var/lib/cni
- name: host-var-run-antrea
- subPath: cni
- - mountPath: /var/log/antrea
- name: host-var-log-antrea
- - mountPath: /host/proc
- name: host-proc
- readOnly: true
- - mountPath: /host/var/run/netns
- mountPropagation: HostToContainer
- name: host-var-run-netns
- readOnly: true
- - mountPath: /run/xtables.lock
- name: xtables-lock
- - args:
- - --log_file_max_size=100
- - --log_file_max_num=4
- command:
- - start_ovs
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- livenessProbe:
- exec:
- command:
- - /bin/sh
- - -c
- - timeout 10 container_liveness_probe ovs
- failureThreshold: 5
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 10
- name: antrea-ovs
- resources:
- requests:
- cpu: 200m
- securityContext:
- capabilities:
- add:
- - SYS_NICE
- - NET_ADMIN
- - SYS_ADMIN
- - IPC_LOCK
- volumeMounts:
- - mountPath: /var/run/openvswitch
- name: host-var-run-antrea
- subPath: openvswitch
- - mountPath: /var/log/openvswitch
- name: host-var-log-antrea
- subPath: openvswitch
- dnsPolicy: ClusterFirstWithHostNet
- hostNetwork: true
- initContainers:
- - command:
- - install_cni
- env:
- - name: SKIP_CNI_BINARIES
- value: ""
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- name: install-cni
- resources:
- requests:
- cpu: 100m
- securityContext:
- capabilities:
- add:
- - SYS_MODULE
- volumeMounts:
- - mountPath: /etc/antrea/antrea-cni.conflist
- name: antrea-config
- readOnly: true
- subPath: antrea-cni.conflist
- - mountPath: /host/etc/cni/net.d
- name: host-cni-conf
- - mountPath: /host/opt/cni/bin
- name: host-cni-bin
- - mountPath: /lib/modules
- name: host-lib-modules
- readOnly: true
- - mountPath: /var/run/antrea
- name: host-var-run-antrea
- nodeSelector:
- kubernetes.io/os: linux
- priorityClassName: system-node-critical
- serviceAccountName: antrea-agent
- tolerations:
- - key: CriticalAddonsOnly
- operator: Exists
- - effect: NoSchedule
- operator: Exists
- - effect: NoExecute
- operator: Exists
- volumes:
- - hostPath:
- path: /home/kubernetes/bin
- name: host-cni-bin
- - configMap:
- name: antrea-config-2c8t9465tc
- name: antrea-config
- - hostPath:
- path: /etc/cni/net.d
- name: host-cni-conf
- - hostPath:
- path: /proc
- name: host-proc
- - hostPath:
- path: /var/run/netns
- name: host-var-run-netns
- - hostPath:
- path: /var/run/antrea
- type: DirectoryOrCreate
- name: host-var-run-antrea
- - hostPath:
- path: /var/log/antrea
- type: DirectoryOrCreate
- name: host-var-log-antrea
- - hostPath:
- path: /lib/modules
- name: host-lib-modules
- - hostPath:
- path: /run/xtables.lock
- type: FileOrCreate
- name: xtables-lock
- updateStrategy:
- type: RollingUpdate
---
+# Source: antrea/templates/webhooks/mutating/crdmutator.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
+ name: "crdmutator.antrea.io"
labels:
app: antrea
- name: crdmutator.antrea.io
webhooks:
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /mutate/acnp
- name: acnpmutator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - clusternetworkpolicies
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /mutate/anp
- name: anpmutator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - networkpolicies
- scope: Namespaced
- sideEffects: None
- timeoutSeconds: 5
+ - name: "acnpmutator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/mutate/acnp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["clusternetworkpolicies"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "anpmutator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/mutate/anp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["networkpolicies"]
+ scope: "Namespaced"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
---
+# Source: antrea/templates/webhooks/validating/crdvalidator.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
+ name: "crdvalidator.antrea.io"
labels:
app: antrea
- name: crdvalidator.antrea.io
webhooks:
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/tier
- name: tiervalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- - DELETE
- resources:
- - tiers
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/acnp
- name: acnpvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - clusternetworkpolicies
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/anp
- name: anpvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - networkpolicies
- scope: Namespaced
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/clustergroup
- name: clustergroupvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha3
- - v1alpha2
- operations:
- - CREATE
- - UPDATE
- resources:
- - clustergroups
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/externalippool
- name: externalippoolvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha2
- operations:
- - UPDATE
- resources:
- - externalippools
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/egress
- name: egressvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha2
- operations:
- - CREATE
- - UPDATE
- resources:
- - egresses
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/ippool
- name: ippoolvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha2
- operations:
- - CREATE
- - UPDATE
- - DELETE
- resources:
- - ippools
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
+ - name: "tiervalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/tier"
+ rules:
+ - operations: ["CREATE", "UPDATE", "DELETE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["tiers"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "acnpvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/acnp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["clusternetworkpolicies"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "anpvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/anp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["networkpolicies"]
+ scope: "Namespaced"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "clustergroupvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/clustergroup"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha3", "v1alpha2"]
+ resources: ["clustergroups"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "externalippoolvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/externalippool"
+ rules:
+ - operations: ["UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha2"]
+ resources: ["externalippools"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "egressvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/egress"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha2"]
+ resources: ["egresses"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "ippoolvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/ippool"
+ rules:
+ - operations: ["CREATE", "UPDATE", "DELETE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha2"]
+ resources: ["ippools"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
index f5e3143b287..524799a994c 100644
--- a/build/yamls/antrea-ipsec.yml
+++ b/build/yamls/antrea-ipsec.yml
@@ -1,2742 +1,52 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+---
+# Source: antrea/templates/agent/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
metadata:
+ name: antrea-agent
+ namespace: kube-system
labels:
app: antrea
- name: antreaagentinfos.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: AntreaAgentInfo
- plural: antreaagentinfos
- shortNames:
- - aai
- singular: antreaagentinfo
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Health status of this Agent
- jsonPath: .agentConditions[?(@.type=='AgentHealthy')].status
- name: Healthy
- type: string
- - description: Last time the Healthy Condition was updated
- jsonPath: .agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime
- name: Last Heartbeat
- type: date
- - description: Version of this Agent
- jsonPath: .version
- name: Version
- priority: 1
- type: string
- - description: Node on which this Agent is running
- jsonPath: .nodeRef.name
- name: Node
- priority: 1
- type: string
- - description: Number of local Pods managed by this Agent
- jsonPath: .localPodNum
- name: Num Pods
- priority: 2
- type: integer
- - description: Subnets used by this Agent for Pod IPAM
- jsonPath: .nodeSubnets
- name: Subnets
- priority: 2
- type: string
- name: v1beta1
- schema:
- openAPIV3Schema:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- served: true
- storage: true
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+# Source: antrea/templates/antctl/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
metadata:
+ name: antctl
+ namespace: kube-system
labels:
app: antrea
- name: antreacontrollerinfos.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: AntreaControllerInfo
- plural: antreacontrollerinfos
- shortNames:
- - aci
- singular: antreacontrollerinfo
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Health status of the Controller
- jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].status
- name: Healthy
- type: string
- - description: Last time the Healthy Condition was updated
- jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime
- name: Last Heartbeat
- type: date
- - description: Version of the Controller
- jsonPath: .version
- name: Version
- priority: 1
- type: string
- - description: Number of Agents connected to the Controller
- jsonPath: .connectedAgentNum
- name: Connected Agents
- priority: 1
- type: integer
- - description: Node on which the Controller is running
- jsonPath: .nodeRef.name
- name: Node
- priority: 1
- type: string
- - description: Number of Network Policies computed by Controller
- jsonPath: .networkPolicyControllerInfo.networkPolicyNum
- name: Num Network Policies
- priority: 2
- type: integer
- name: v1beta1
- schema:
- openAPIV3Schema:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- served: true
- storage: true
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+# Source: antrea/templates/controller/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
metadata:
+ name: antrea-controller
+ namespace: kube-system
labels:
app: antrea
- name: clustergroups.crd.antrea.io
-spec:
- conversion:
- strategy: Webhook
- webhook:
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /convert/clustergroup
- conversionReviewVersions:
- - v1
- - v1beta1
- group: crd.antrea.io
- names:
- kind: ClusterGroup
- plural: clustergroups
- shortNames:
- - cg
- singular: clustergroup
- scope: Cluster
- versions:
- - name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- childGroups:
- items:
- type: string
- type: array
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- ipBlocks:
- items:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- type: array
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceReference:
- properties:
- name:
- type: string
- namespace:
- type: string
- type: object
- type: object
- status:
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- type: string
- status:
- type: string
- type:
- type: string
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: false
- - name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- childGroups:
- items:
- type: string
- type: array
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- ipBlocks:
- items:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- type: array
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceReference:
- properties:
- name:
- type: string
- namespace:
- type: string
- type: object
- type: object
- status:
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- type: string
- status:
- type: string
- type:
- type: string
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+# Source: antrea/templates/agent/ipsec-secret.yaml
+apiVersion: v1
+kind: Secret
metadata:
+ name: antrea-ipsec
+ namespace: kube-system
labels:
app: antrea
- name: clusternetworkpolicies.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: ClusterNetworkPolicy
- plural: clusternetworkpolicies
- shortNames:
- - acnp
- singular: clusternetworkpolicy
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The Tier to which this ClusterNetworkPolicy belongs to.
- jsonPath: .spec.tier
- name: Tier
- type: string
- - description: The Priority of this ClusterNetworkPolicy relative to other policies.
- format: float
- jsonPath: .spec.priority
- name: Priority
- type: number
- - description: The total number of Nodes that should realize the NetworkPolicy.
- format: int32
- jsonPath: .status.desiredNodesRealized
- name: Desired Nodes
- type: number
- - description: The number of Nodes that have realized the NetworkPolicy.
- format: int32
- jsonPath: .status.currentNodesRealized
- name: Current Nodes
- type: number
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- appliedTo:
- items:
- properties:
- group:
- type: string
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- egress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- group:
- type: string
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- to:
- items:
- properties:
- fqdn:
- type: string
- group:
- type: string
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- namespaces:
- properties:
- match:
- type: string
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- toServices:
- items:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- ingress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- group:
- type: string
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- from:
- items:
- properties:
- group:
- type: string
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- namespaces:
- properties:
- match:
- enum:
- - Self
- type: string
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- priority:
- format: float
- maximum: 10000
- minimum: 1
- type: number
- tier:
- type: string
- required:
- - priority
- type: object
- status:
- properties:
- currentNodesRealized:
- type: integer
- desiredNodesRealized:
- type: integer
- observedGeneration:
- type: integer
- phase:
- type: string
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: egresses.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: Egress
- plural: egresses
- shortNames:
- - eg
- singular: egress
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Specifies the SNAT IP address for the selected workloads.
- jsonPath: .spec.egressIP
- name: EgressIP
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- - description: The Owner Node of egress IP
- jsonPath: .status.egressNode
- name: Node
- type: string
- name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- anyOf:
- - required:
- - egressIP
- - required:
- - externalIPPool
- properties:
- appliedTo:
- properties:
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- egressIP:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- externalIPPool:
- type: string
- required:
- - appliedTo
- type: object
- status:
- properties:
- egressNode:
- type: string
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
+type: Opaque
+stringData:
+ # Preshared Key used by IKE for authentication with peers.
+ psk: "changeme"
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+# Source: antrea/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
metadata:
+ name: antrea-config
+ namespace: kube-system
labels:
app: antrea
- name: externalentities.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: ExternalEntity
- plural: externalentities
- shortNames:
- - ee
- singular: externalentity
- scope: Namespaced
- versions:
- - name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- endpoints:
- items:
- properties:
- ip:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- name:
- type: string
- type: object
- type: array
- externalNode:
- type: string
- ports:
- items:
- properties:
- name:
- type: string
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: true
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- type: object
- served: false
- storage: false
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: externalippools.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: ExternalIPPool
- plural: externalippools
- shortNames:
- - eip
- singular: externalippool
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The number of total IPs
- jsonPath: .status.usage.total
- name: Total
- type: integer
- - description: The number of allocated IPs
- jsonPath: .status.usage.used
- name: Used
- type: integer
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- ipRanges:
- items:
- oneOf:
- - required:
- - cidr
- - required:
- - start
- - end
- properties:
- cidr:
- format: cidr
- type: string
- end:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- start:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- type: object
- type: array
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- required:
- - ipRanges
- - nodeSelector
- type: object
- status:
- properties:
- usage:
- properties:
- total:
- type: integer
- used:
- type: integer
- type: object
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: ippools.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: IPPool
- plural: ippools
- shortNames:
- - ipp
- singular: ippool
- scope: Cluster
- versions:
- - name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- ipRanges:
- items:
- oneOf:
- - required:
- - cidr
- - gateway
- - prefixLength
- - required:
- - start
- - end
- - gateway
- - prefixLength
- properties:
- cidr:
- format: cidr
- type: string
- end:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- gateway:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- prefixLength:
- type: integer
- start:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- vlan:
- maximum: 4094
- minimum: 0
- type: integer
- type: object
- type: array
- ipVersion:
- type: integer
- required:
- - ipVersion
- - ipRanges
- type: object
- status:
- properties:
- ipAddresses:
- items:
- properties:
- ipAddress:
- type: string
- owner:
- properties:
- pod:
- properties:
- containerID:
- type: string
- ifName:
- type: string
- name:
- type: string
- namespace:
- type: string
- type: object
- statefulSet:
- properties:
- index:
- type: integer
- name:
- type: string
- namespace:
- type: string
- type: object
- type: object
- phase:
- type: string
- type: object
- type: array
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: networkpolicies.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: NetworkPolicy
- plural: networkpolicies
- shortNames:
- - anp
- singular: networkpolicy
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: The Tier to which this Antrea NetworkPolicy belongs to.
- jsonPath: .spec.tier
- name: Tier
- type: string
- - description: The Priority of this Antrea NetworkPolicy relative to other policies.
- format: float
- jsonPath: .spec.priority
- name: Priority
- type: number
- - description: The total number of Nodes that should realize the NetworkPolicy.
- format: int32
- jsonPath: .status.desiredNodesRealized
- name: Desired Nodes
- type: number
- - description: The number of Nodes that have realized the NetworkPolicy.
- format: int32
- jsonPath: .status.currentNodesRealized
- name: Current Nodes
- type: number
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- appliedTo:
- items:
- properties:
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- egress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- to:
- items:
- properties:
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- fqdn:
- type: string
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- toServices:
- items:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- ingress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- from:
- items:
- properties:
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- priority:
- format: float
- maximum: 10000
- minimum: 1
- type: number
- tier:
- type: string
- required:
- - priority
- type: object
- status:
- properties:
- currentNodesRealized:
- type: integer
- desiredNodesRealized:
- type: integer
- observedGeneration:
- type: integer
- phase:
- type: string
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: tiers.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: Tier
- plural: tiers
- shortNames:
- - tr
- singular: tier
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The Priority of this Tier relative to other Tiers.
- jsonPath: .spec.priority
- name: Priority
- type: integer
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- description:
- type: string
- priority:
- maximum: 255
- minimum: 0
- type: integer
- required:
- - priority
- type: object
- type: object
- served: true
- storage: true
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: traceflows.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: Traceflow
- plural: traceflows
- shortNames:
- - tf
- singular: traceflow
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The phase of the Traceflow.
- jsonPath: .status.phase
- name: Phase
- type: string
- - description: The name of the source Pod.
- jsonPath: .spec.source.pod
- name: Source-Pod
- priority: 10
- type: string
- - description: The name of the destination Pod.
- jsonPath: .spec.destination.pod
- name: Destination-Pod
- priority: 10
- type: string
- - description: The IP address of the destination.
- jsonPath: .spec.destination.ip
- name: Destination-IP
- priority: 10
- type: string
- - description: Trace live traffic.
- jsonPath: .spec.liveTraffic
- name: Live-Traffic
- priority: 10
- type: boolean
- - description: Capture only the dropped packet.
- jsonPath: .spec.droppedOnly
- name: Dropped-Only
- priority: 10
- type: boolean
- - description: Timeout in seconds.
- jsonPath: .spec.timeout
- name: Timeout
- priority: 10
- type: integer
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- destination:
- properties:
- ip:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- namespace:
- type: string
- pod:
- type: string
- service:
- type: string
- type: object
- droppedOnly:
- type: boolean
- liveTraffic:
- type: boolean
- packet:
- properties:
- ipHeader:
- properties:
- flags:
- type: integer
- protocol:
- type: integer
- srcIP:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- ttl:
- type: integer
- type: object
- ipv6Header:
- properties:
- hopLimit:
- type: integer
- nextHeader:
- type: integer
- srcIP:
- format: ipv6
- type: string
- type: object
- transportHeader:
- properties:
- icmp:
- properties:
- id:
- type: integer
- sequence:
- type: integer
- type: object
- tcp:
- properties:
- dstPort:
- type: integer
- flags:
- type: integer
- srcPort:
- type: integer
- type: object
- udp:
- properties:
- dstPort:
- type: integer
- srcPort:
- type: integer
- type: object
- type: object
- type: object
- source:
- properties:
- ip:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- namespace:
- type: string
- pod:
- type: string
- type: object
- timeout:
- type: integer
- type: object
- status:
- properties:
- capturedPacket:
- properties:
- dstIP:
- type: string
- ipHeader:
- properties:
- flags:
- type: integer
- protocol:
- type: integer
- ttl:
- type: integer
- type: object
- ipv6Header:
- properties:
- hopLimit:
- type: integer
- nextHeader:
- type: integer
- type: object
- length:
- type: integer
- srcIP:
- type: string
- transportHeader:
- properties:
- icmp:
- properties:
- id:
- type: integer
- sequence:
- type: integer
- type: object
- tcp:
- properties:
- dstPort:
- type: integer
- flags:
- type: integer
- srcPort:
- type: integer
- type: object
- udp:
- properties:
- dstPort:
- type: integer
- srcPort:
- type: integer
- type: object
- type: object
- type: object
- dataplaneTag:
- type: integer
- phase:
- type: string
- reason:
- type: string
- results:
- items:
- properties:
- node:
- type: string
- observations:
- items:
- properties:
- action:
- type: string
- component:
- type: string
- componentInfo:
- type: string
- dstMAC:
- type: string
- networkPolicy:
- type: string
- pod:
- type: string
- translatedDstIP:
- type: string
- translatedSrcIP:
- type: string
- ttl:
- type: integer
- tunnelDstIP:
- type: string
- type: object
- type: array
- role:
- type: string
- timestamp:
- type: integer
- type: object
- type: array
- startTime:
- type: string
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app: antrea
- name: antctl
- namespace: kube-system
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app: antrea
- name: antrea-agent
- namespace: kube-system
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app: antrea
- name: antrea-controller
- namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- name: aggregate-antrea-clustergroups-edit
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clustergroups
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- name: aggregate-antrea-clustergroups-view
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clustergroups
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- name: aggregate-antrea-policies-edit
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies
- - networkpolicies
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- name: aggregate-antrea-policies-view
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies
- - networkpolicies
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- name: aggregate-traceflows-edit
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- name: aggregate-traceflows-view
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antctl
-rules:
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - networkpolicies
- - appliedtogroups
- - addressgroups
- verbs:
- - get
- - list
-- apiGroups:
- - stats.antrea.io
- resources:
- - networkpolicystats
- - antreaclusternetworkpolicystats
- - antreanetworkpolicystats
- verbs:
- - get
- - list
-- apiGroups:
- - system.antrea.io
- resources:
- - controllerinfos
- - agentinfos
- verbs:
- - get
-- apiGroups:
- - system.antrea.io
- resources:
- - supportbundles
- verbs:
- - get
- - post
-- apiGroups:
- - system.antrea.io
- resources:
- - supportbundles/download
- verbs:
- - get
-- nonResourceURLs:
- - /agentinfo
- - /addressgroups
- - /appliedtogroups
- - /loglevel
- - /networkpolicies
- - /ovsflows
- - /ovstracing
- - /podinterfaces
- - /featuregates
- verbs:
- - get
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antrea-agent
-rules:
-- apiGroups:
- - ""
- resources:
- - nodes
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - nodes/status
- verbs:
- - patch
-- apiGroups:
- - ""
- resources:
- - pods
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - pods/status
- verbs:
- - patch
-- apiGroups:
- - ""
- resources:
- - endpoints
- - services
- - namespaces
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - services/status
- verbs:
- - update
-- apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - antreaagentinfos
- verbs:
- - get
- - create
- - update
- - delete
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - networkpolicies
- - appliedtogroups
- - addressgroups
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - egressgroups
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - nodestatssummaries
- verbs:
- - create
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - networkpolicies/status
- verbs:
- - create
- - get
-- apiGroups:
- - authentication.k8s.io
- resources:
- - tokenreviews
- verbs:
- - create
-- apiGroups:
- - authorization.k8s.io
- resources:
- - subjectaccessreviews
- verbs:
- - create
-- apiGroups:
- - ""
- resourceNames:
- - extension-apiserver-authentication
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ""
- resourceNames:
- - antrea-ca
- resources:
- - configmaps
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- - traceflows/status
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - egresses
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - egresses/status
- verbs:
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalippools
- - ippools
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - ippools/status
- verbs:
- - update
-- apiGroups:
- - k8s.cni.cncf.io
- resources:
- - network-attachment-definitions
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antrea-cluster-identity-reader
-rules:
-- apiGroups:
- - ""
- resourceNames:
- - antrea-cluster-identity
- resources:
- - configmaps
- verbs:
- - get
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antrea-controller
-rules:
-- apiGroups:
- - ""
- resources:
- - pods
- - services
- - namespaces
- - configmaps
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - nodes
- verbs:
- - get
- - watch
- - list
- - patch
-- apiGroups:
- - ""
- resources:
- - services/status
- verbs:
- - update
-- apiGroups:
- - networking.k8s.io
- resources:
- - networkpolicies
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - authentication.k8s.io
- resources:
- - tokenreviews
- verbs:
- - create
-- apiGroups:
- - authorization.k8s.io
- resources:
- - subjectaccessreviews
- verbs:
- - create
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - get
- - update
-- apiGroups:
- - ""
- resourceNames:
- - extension-apiserver-authentication
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ""
- resourceNames:
- - antrea-ca
- - antrea-cluster-identity
- resources:
- - configmaps
- verbs:
- - get
- - update
-- apiGroups:
- - ""
- resources:
- - configmaps
- verbs:
- - create
-- apiGroups:
- - apiregistration.k8s.io
- resourceNames:
- - v1alpha1.stats.antrea.io
- - v1beta1.system.antrea.io
- - v1beta2.controlplane.antrea.io
- resources:
- - apiservices
- verbs:
- - get
- - update
-- apiGroups:
- - apiregistration.k8s.io
- resourceNames:
- - v1beta1.networking.antrea.tanzu.vmware.com
- - v1beta1.controlplane.antrea.tanzu.vmware.com
- - v1alpha1.stats.antrea.tanzu.vmware.com
- - v1beta1.system.antrea.tanzu.vmware.com
- - v1beta2.controlplane.antrea.tanzu.vmware.com
- resources:
- - apiservices
- verbs:
- - delete
-- apiGroups:
- - admissionregistration.k8s.io
- resourceNames:
- - labelsmutator.antrea.io
- - crdmutator.antrea.io
- - crdvalidator.antrea.io
- resources:
- - mutatingwebhookconfigurations
- - validatingwebhookconfigurations
- verbs:
- - get
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - antreacontrollerinfos
- verbs:
- - get
- - create
- - update
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - antreaagentinfos
- verbs:
- - list
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies
- - networkpolicies
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies/status
- - networkpolicies/status
- verbs:
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - tiers
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- - traceflows/status
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalentities
- - clustergroups
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - clustergroups/status
- verbs:
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - egresses
- verbs:
- - get
- - watch
- - list
- - update
- - patch
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalippools
- - ippools
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalippools/status
- - ippools/status
- verbs:
- - update
-- apiGroups:
- - apps
- resources:
- - statefulsets
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: antrea
- name: antctl
- namespace: kube-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: antctl
-subjects:
-- kind: ServiceAccount
- name: antctl
- namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: antrea
- name: antrea-agent
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: antrea-agent
-subjects:
-- kind: ServiceAccount
- name: antrea-agent
- namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: antrea
- name: antrea-controller
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: antrea-controller
-subjects:
-- kind: ServiceAccount
- name: antrea-controller
- namespace: kube-system
----
-apiVersion: v1
data:
antrea-agent.conf: |
# FeatureGates is a map of feature names to bools that enable or disable experimental features.
@@ -2790,19 +100,18 @@ data:
# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
- #ovsBridge: br-int
+ ovsBridge: "br-int"
# Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
# - system
# - netdev
# 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
- # OVS in userspace mode (not fully supported yet). Userspace mode requires the tun device driver to
- # be available.
+ # OVS in userspace mode. Userspace mode requires the tun device driver to be available.
#ovsDatapathType: system
# Name of the interface antrea-agent will create and use for host <--> pod communication.
# Make sure it doesn't conflict with your existing interfaces.
- #hostGateway: antrea-gw0
+ hostGateway: "antrea-gw0"
# Determines how traffic is encapsulated. It has the following options:
# encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network
@@ -2814,14 +123,14 @@ data:
# networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod
# IPAM and connectivity to the primary CNI.
#
- #trafficEncapMode: encap
+ trafficEncapMode: "encap"
# Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network.
# This option is for the noEncap traffic mode only, and the default value is false. In the noEncap
# mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to
# the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never
# performs SNAT and this option will be ignored; for other modes it must be set to false.
- #noSNAT: false
+ noSNAT: false
# Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode,
# this option will not take effect. Supported values:
@@ -2830,7 +139,7 @@ data:
# - gre
# - stt
# Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters).
- tunnelType: gre
+ tunnelType: "gre"
# Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode.
# It has the following options:
@@ -2840,7 +149,7 @@ data:
# the PSK value must be passed to Antrea Agent through an environment
# variable: ANTREA_IPSEC_PSK.
# - wireGuard: Enable WireGuard for tunnel traffic encryption.
- trafficEncryptionMode: ipsec
+ trafficEncryptionMode: "ipsec"
# Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected
# to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are
@@ -2849,40 +158,40 @@ data:
# This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only
# IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`,
# `trafficEncapMode` is `noEncap`, and `noSNAT` is true.
- #enableBridgingMode: false
+ enableBridgingMode: false
# Default MTU to use for the host gateway interface and the network interface of each Pod.
# If omitted, antrea-agent will discover the MTU of the Node's primary interface and
# also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
- #defaultMTU: 0
+ defaultMTU: 0
# wireGuard specifies WireGuard related configurations.
wireGuard:
- # The port for WireGuard to receive traffic.
- # port: 51820
+ # The port for WireGuard to receive traffic.
+ port: 51820
egress:
- # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses.
- # exceptCIDRs: []
+ # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses.
+ exceptCIDRs:
# ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
# set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
# AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
- #serviceCIDR: 10.96.0.0/12
+ serviceCIDR: ""
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
# --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
# No default value for this field.
- #serviceCIDRv6:
+ serviceCIDRv6: ""
# The port for the antrea-agent APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-agent` container must be set to the same value.
- #apiPort: 10350
+ apiPort: 10350
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
- #enablePrometheusMetrics: true
+ enablePrometheusMetrics: true
# Provide the IPFIX collector address as a string with format :[][:].
# HOST can either be the DNS name or the IP of the Flow Collector. For example,
@@ -2893,50 +202,50 @@ data:
# If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
# "udp" protocols. "tls" is used for securing communication between flow exporter and
# flow aggregator.
- #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
+ flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
# Provide flow poll interval as a duration string. This determines how often the
# flow exporter dumps connections from the conntrack module. Flow poll interval
# should be greater than or equal to 1s (one second).
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
- #flowPollInterval: "5s"
+ flowPollInterval: "5s"
# Provide the active flow export timeout, which is the timeout after which a flow
# record is sent to the collector for active flows. Thus, for flows with a continuous
# stream of packets, a flow record will be exported to the collector once the elapsed
# time since the last export event is equal to the value of this timeout.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
- #activeFlowExportTimeout: "30s"
+ activeFlowExportTimeout: "5s"
# Provide the idle flow export timeout, which is the timeout after which a flow
# record is sent to the collector for idle flows. A flow is considered idle if no
# packet matching this flow has been observed since the last export event.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
- #idleFlowExportTimeout: "15s"
+ idleFlowExportTimeout: "15s"
nodePortLocal:
# Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
# enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
# gate is also enabled (which is the default).
- # enable: false
+ enable: false
# Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
# from that range will be assigned whenever a Pod's container defines a specific port to be exposed
# (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic
# directed to that port will be forwarded to the Pod.
- # portRange: 61000-62000
+ portRange: "61000-62000"
# Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
# Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
- #kubeAPIServerOverride: ""
+ kubeAPIServerOverride: ""
# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
# https://golang.org/pkg/crypto/tls/#pkg-constants
# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
# prefer TLS1.3 Cipher Suites whenever possible.
- #tlsCipherSuites:
+ tlsCipherSuites: ""
# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
- #tlsMinVersion:
+ tlsMinVersion: ""
# The name of the interface on Node which is used for tunneling or routing the traffic across Nodes.
# If there are multiple IP addresses configured on the interface, the first one is used. The IP
@@ -2945,11 +254,11 @@ data:
# 1. transportInterface
# 2. transportInterfaceCIDRs
# 3. The Node IP
- #transportInterface:
+ transportInterface: ""
# The names of the interfaces on Nodes that are used to forward multicast traffic.
# Defaults to transport interface if not set.
- #multicastInterfaces: []
+ multicastInterfaces:
# The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across
# Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The
@@ -2958,7 +267,7 @@ data:
# 1. transportInterface
# 2. transportInterfaceCIDRs
# 3. The Node IP
- #transportInterfaceCIDRs: [,]
+ transportInterfaceCIDRs:
# Option antreaProxy contains AntreaProxy related configuration options.
antreaProxy:
@@ -2967,22 +276,22 @@ data:
# feature to be enabled.
# Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access
# apiserver directly.
- #proxyAll: false
+ proxyAll: false
# A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks.
# (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses.
# Note that the option is only valid when proxyAll is true.
- #nodePortAddresses: []
+ nodePortAddresses:
# An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these
# Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name
# with Namespace (e.g. kube-system/kube-dns)
- #skipServices: []
+ skipServices:
# When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the
# External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional
# capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the
# external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy.
# Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and
# kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
- #proxyLoadBalancerIPs: true
+ proxyLoadBalancerIPs: true
antrea-cni.conflist: |
{
"cniVersion":"0.3.0",
@@ -2993,11 +302,13 @@ data:
"ipam": {
"type": "host-local"
}
- },
+ }
+ ,
{
"type": "portmap",
"capabilities": {"portMappings": true}
- },
+ }
+ ,
{
"type": "bandwidth",
"capabilities": {"bandwidth": true}
@@ -3035,703 +346,3353 @@ data:
# The port for the antrea-controller APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-controller` container must be set to the same value.
- #apiPort: 10349
+ apiPort: 10349
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
- #enablePrometheusMetrics: true
+ enablePrometheusMetrics: true
# Indicates whether to use auto-generated self-signed TLS certificate.
- # If false, A Secret named "antrea-controller-tls" must be provided with the following keys:
+ # If false, a Secret named "antrea-controller-tls" must be provided with the following keys:
# ca.crt:
# tls.crt:
# tls.key:
- # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
- # antrea-controller container.
- #selfSignedCert: true
+ selfSignedCert: true
# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
# https://golang.org/pkg/crypto/tls/#pkg-constants
# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
# prefer TLS1.3 Cipher Suites whenever possible.
- #tlsCipherSuites:
+ tlsCipherSuites: ""
# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
- #tlsMinVersion:
+ tlsMinVersion: ""
nodeIPAM:
- # Enable the integrated Node IPAM controller within the Antrea controller.
- # enableNodeIPAM: false
-
- # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges.
- # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family.
- # Value ignored when enableNodeIPAM is false.
- # clusterCIDRs: []
-
- # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs.
- # Value ignored when enableNodeIPAM is false.
- # serviceCIDR:
- # serviceCIDRv6:
-
- # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false
- # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30.
- # nodeCIDRMaskSizeIPv4: 24
-
- # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
- # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
- # nodeCIDRMaskSizeIPv6: 64
-kind: ConfigMap
+ # Enable the integrated Node IPAM controller within the Antrea controller.
+ enableNodeIPAM: false
+ # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges.
+ # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family.
+ # Value ignored when enableNodeIPAM is false.
+ clusterCIDRs:
+ # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs.
+ # Value ignored when enableNodeIPAM is false.
+ serviceCIDR: ""
+ serviceCIDRv6: ""
+ # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false
+ # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30.
+ nodeCIDRMaskSizeIPv4: 24
+ # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
+ # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
+ nodeCIDRMaskSizeIPv6: 64
+---
+# Source: antrea/templates/crds/antreaagentinfo.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: antreaagentinfos.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ additionalPrinterColumns:
+ - description: Health status of this Agent
+ jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status"
+ name: Healthy
+ type: string
+ - description: Last time the Healthy Condition was updated
+ jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime"
+ name: Last Heartbeat
+ type: date
+ - description: Version of this Agent
+ jsonPath: ".version"
+ name: Version
+ type: string
+ priority: 1
+ - description: Node on which this Agent is running
+ jsonPath: ".nodeRef.name"
+ name: Node
+ type: string
+ priority: 1
+ - description: Number of local Pods managed by this Agent
+ jsonPath: ".localPodNum"
+ name: Num Pods
+ type: integer
+ priority: 2
+ - description: Subnets used by this Agent for Pod IPAM
+ jsonPath: ".nodeSubnets"
+ name: Subnets
+ type: string
+ priority: 2
+ scope: Cluster
+ names:
+ plural: antreaagentinfos
+ singular: antreaagentinfo
+ kind: AntreaAgentInfo
+ shortNames:
+ - aai
+---
+# Source: antrea/templates/crds/antreacontrollerinfo.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: antreacontrollerinfos.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ additionalPrinterColumns:
+ - description: Health status of the Controller
+ jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status"
+ name: Healthy
+ type: string
+ - description: Last time the Healthy Condition was updated
+ jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime"
+ name: Last Heartbeat
+ type: date
+ - description: Version of the Controller
+ jsonPath: ".version"
+ name: Version
+ type: string
+ priority: 1
+ - description: Number of Agents connected to the Controller
+ jsonPath: ".connectedAgentNum"
+ name: Connected Agents
+ type: integer
+ priority: 1
+ - description: Node on which the Controller is running
+ jsonPath: ".nodeRef.name"
+ name: Node
+ type: string
+ priority: 1
+ - description: Number of Network Policies computed by Controller
+ jsonPath: ".networkPolicyControllerInfo.networkPolicyNum"
+ name: Num Network Policies
+ type: integer
+ priority: 2
+ scope: Cluster
+ names:
+ plural: antreacontrollerinfos
+ singular: antreacontrollerinfo
+ kind: AntreaControllerInfo
+ shortNames:
+ - aci
+---
+# Source: antrea/templates/crds/clustergroup.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: clustergroups.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: false
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ type: object
+ properties:
+ childGroups:
+ type: array
+ items:
+ type: string
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ ipBlocks:
+ type: array
+ items:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ serviceReference:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ status:
+ type: object
+ properties:
+ conditions:
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ type: string
+ status:
+ type: string
+ lastTransitionTime:
+ type: string
+ - name: v1alpha3
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ type: object
+ properties:
+ childGroups:
+ type: array
+ items:
+ type: string
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlocks:
+ type: array
+ items:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ serviceReference:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ status:
+ type: object
+ properties:
+ conditions:
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ type: string
+ status:
+ type: string
+ lastTransitionTime:
+ type: string
+ subresources:
+ status: {}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions: ["v1", "v1beta1"]
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: "kube-system"
+ path: "/convert/clustergroup"
+ scope: Cluster
+ names:
+ plural: clustergroups
+ singular: clustergroup
+ kind: ClusterGroup
+ shortNames:
+ - cg
+---
+# Source: antrea/templates/crds/clusternetworkpolicy.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: clusternetworkpolicies.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - name: Tier
+ type: string
+ description: The Tier to which this ClusterNetworkPolicy belongs to.
+ jsonPath: .spec.tier
+ - name: Priority
+ type: number
+ format: float
+ description: The Priority of this ClusterNetworkPolicy relative to other policies.
+ jsonPath: .spec.priority
+ - name: Desired Nodes
+ type: number
+ format: int32
+ description: The total number of Nodes that should realize the NetworkPolicy.
+ jsonPath: .status.desiredNodesRealized
+ - name: Current Nodes
+ type: number
+ format: int32
+ description: The number of Nodes that have realized the NetworkPolicy.
+ jsonPath: .status.currentNodesRealized
+ - name: Age
+ type: date
+ jsonPath: .metadata.creationTimestamp
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ # Ensure that Spec.Priority field is set
+ required:
+ - priority
+ type: object
+ properties:
+ tier:
+ type: string
+ priority:
+ type: number
+ format: float
+ # Ensure that Spec.Priority field is between 1 and 10000
+ minimum: 1.0
+ maximum: 10000.0
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that Spec.AppliedTo does not allow IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ ingress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ from:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaces:
+ type: object
+ properties:
+ match:
+ enum:
+ - Self
+ type: string
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ egress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ to:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaces:
+ type: object
+ properties:
+ match:
+ type: string
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ group:
+ type: string
+ fqdn:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ toServices:
+ type: array
+ items:
+ type: object
+ required:
+ - name
+ - namespace
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ status:
+ type: object
+ properties:
+ phase:
+ type: string
+ observedGeneration:
+ type: integer
+ currentNodesRealized:
+ type: integer
+ desiredNodesRealized:
+ type: integer
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: clusternetworkpolicies
+ singular: clusternetworkpolicy
+ kind: ClusterNetworkPolicy
+ shortNames:
+ - acnp
+---
+# Source: antrea/templates/crds/egress.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: egresses.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ type: object
+ required:
+ - appliedTo
+ anyOf:
+ - required:
+ - egressIP
+ - required:
+ - externalIPPool
+ properties:
+ appliedTo:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ egressIP:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ externalIPPool:
+ type: string
+ status:
+ type: object
+ properties:
+ egressNode:
+ type: string
+ additionalPrinterColumns:
+ - description: Specifies the SNAT IP address for the selected workloads.
+ jsonPath: .spec.egressIP
+ name: EgressIP
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: The Owner Node of egress IP
+ jsonPath: .status.egressNode
+ name: Node
+ type: string
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: egresses
+ singular: egress
+ kind: Egress
+ shortNames:
+ - eg
+---
+# Source: antrea/templates/crds/externalentity.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: externalentities.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ type: object
+ properties:
+ endpoints:
+ type: array
+ items:
+ type: object
+ properties:
+ ip:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ name:
+ type: string
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ name:
+ type: string
+ externalNode:
+ type: string
+ - name: v1alpha1
+ served: false
+ storage: false
+ schema:
+ openAPIV3Schema:
+ type: object
+ scope: Namespaced
+ names:
+ plural: externalentities
+ singular: externalentity
+ kind: ExternalEntity
+ shortNames:
+ - ee
+---
+# Source: antrea/templates/crds/externalippool.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: externalippools.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ type: object
+ required:
+ - ipRanges
+ - nodeSelector
+ properties:
+ ipRanges:
+ type: array
+ items:
+ type: object
+ oneOf:
+ - required:
+ - cidr
+ - required:
+ - start
+ - end
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ start:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ end:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ status:
+ type: object
+ properties:
+ usage:
+ type: object
+ properties:
+ total:
+ type: integer
+ used:
+ type: integer
+ additionalPrinterColumns:
+ - description: The number of total IPs
+ jsonPath: .status.usage.total
+ name: Total
+ type: integer
+ - description: The number of allocated IPs
+ jsonPath: .status.usage.used
+ name: Used
+ type: integer
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: externalippools
+ singular: externalippool
+ kind: ExternalIPPool
+ shortNames:
+ - eip
+---
+# Source: antrea/templates/crds/ippool.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: ippools.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ required:
+ - ipVersion
+ - ipRanges
+ type: object
+ properties:
+ ipVersion:
+ type: integer
+ ipRanges:
+ items:
+ oneOf:
+ - required:
+ - cidr
+ - gateway
+ - prefixLength
+ - required:
+ - start
+ - end
+ - gateway
+ - prefixLength
+ properties:
+ cidr:
+ format: cidr
+ type: string
+ start:
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ type: string
+ end:
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ type: string
+ gateway:
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ type: string
+ prefixLength:
+ type: integer
+ vlan:
+ type: integer
+ minimum: 0
+ maximum: 4094
+ type: object
+ type: array
+ status:
+ properties:
+ ipAddresses:
+ items:
+ properties:
+ ipAddress:
+ type: string
+ owner:
+ properties:
+ pod:
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ containerID:
+ type: string
+ ifName:
+ type: string
+ type: object
+ statefulSet:
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ index:
+ type: integer
+ type: object
+ type: object
+ phase:
+ type: string
+ type: object
+ type: array
+ type: object
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: ippools
+ singular: ippool
+ kind: IPPool
+ shortNames:
+ - ipp
+---
+# Source: antrea/templates/crds/networkpolicy.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: networkpolicies.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - name: Tier
+ type: string
+ description: The Tier to which this Antrea NetworkPolicy belongs to.
+ jsonPath: .spec.tier
+ - name: Priority
+ type: number
+ format: float
+ description: The Priority of this Antrea NetworkPolicy relative to other policies.
+ jsonPath: .spec.priority
+ - name: Desired Nodes
+ type: number
+ format: int32
+ description: The total number of Nodes that should realize the NetworkPolicy.
+ jsonPath: .status.desiredNodesRealized
+ - name: Current Nodes
+ type: number
+ format: int32
+ description: The number of Nodes that have realized the NetworkPolicy.
+ jsonPath: .status.currentNodesRealized
+ - name: Age
+ type: date
+ jsonPath: .metadata.creationTimestamp
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ # Ensure that Spec.Priority field is set
+ required:
+ - priority
+ type: object
+ properties:
+ tier:
+ type: string
+ priority:
+ type: number
+ format: float
+ # Ensure that Spec.Priority field is between 1 and 10000
+ minimum: 1.0
+ maximum: 10000.0
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ingress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ from:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ egress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ to:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ fqdn:
+ type: string
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ toServices:
+ type: array
+ items:
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ status:
+ type: object
+ properties:
+ phase:
+ type: string
+ observedGeneration:
+ type: integer
+ currentNodesRealized:
+ type: integer
+ desiredNodesRealized:
+ type: integer
+ subresources:
+ status: {}
+ scope: Namespaced
+ names:
+ plural: networkpolicies
+ singular: networkpolicy
+ kind: NetworkPolicy
+ shortNames:
+ - anp
+---
+# Source: antrea/templates/crds/tier.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: tiers.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - name: Priority
+ type: integer
+ description: The Priority of this Tier relative to other Tiers.
+ jsonPath: .spec.priority
+ - name: Age
+ type: date
+ jsonPath: .metadata.creationTimestamp
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ required:
+ - priority
+ type: object
+ properties:
+ priority:
+ type: integer
+ minimum: 0
+ maximum: 255
+ description:
+ type: string
+ scope: Cluster
+ names:
+ plural: tiers
+ singular: tier
+ kind: Tier
+ shortNames:
+ - tr
+---
+# Source: antrea/templates/crds/traceflow.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: traceflows.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - jsonPath: .status.phase
+ description: The phase of the Traceflow.
+ name: Phase
+ type: string
+ - jsonPath: .spec.source.pod
+ description: The name of the source Pod.
+ name: Source-Pod
+ type: string
+ priority: 10
+ - jsonPath: .spec.destination.pod
+ description: The name of the destination Pod.
+ name: Destination-Pod
+ type: string
+ priority: 10
+ - jsonPath: .spec.destination.ip
+ description: The IP address of the destination.
+ name: Destination-IP
+ type: string
+ priority: 10
+ - jsonPath: .spec.liveTraffic
+ description: Trace live traffic.
+ name: Live-Traffic
+ type: boolean
+ priority: 10
+ - jsonPath: .spec.droppedOnly
+ description: Capture only the dropped packet.
+ name: Dropped-Only
+ type: boolean
+ priority: 10
+ - jsonPath: .spec.timeout
+ description: Timeout in seconds.
+ name: Timeout
+ type: integer
+ priority: 10
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ type: object
+ properties:
+ source:
+ type: object
+ properties:
+ pod:
+ type: string
+ namespace:
+ type: string
+ ip:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ destination:
+ type: object
+ properties:
+ pod:
+ type: string
+ service:
+ type: string
+ namespace:
+ type: string
+ ip:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ packet:
+ type: object
+ properties:
+ ipHeader:
+ type: object
+ properties:
+ srcIP:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ protocol:
+ type: integer
+ ttl:
+ type: integer
+ flags:
+ type: integer
+ ipv6Header:
+ type: object
+ properties:
+ srcIP:
+ type: string
+ format: ipv6
+ nextHeader:
+ type: integer
+ hopLimit:
+ type: integer
+ transportHeader:
+ type: object
+ properties:
+ icmp:
+ type: object
+ properties:
+ id:
+ type: integer
+ sequence:
+ type: integer
+ udp:
+ type: object
+ properties:
+ srcPort:
+ type: integer
+ dstPort:
+ type: integer
+ tcp:
+ type: object
+ properties:
+ srcPort:
+ type: integer
+ dstPort:
+ type: integer
+ flags:
+ type: integer
+ liveTraffic:
+ type: boolean
+ droppedOnly:
+ type: boolean
+ timeout:
+ type: integer
+ status:
+ type: object
+ properties:
+ reason:
+ type: string
+ dataplaneTag:
+ type: integer
+ phase:
+ type: string
+ startTime:
+ type: string
+ results:
+ type: array
+ items:
+ type: object
+ properties:
+ node:
+ type: string
+ role:
+ type: string
+ timestamp:
+ type: integer
+ observations:
+ type: array
+ items:
+ type: object
+ properties:
+ component:
+ type: string
+ componentInfo:
+ type: string
+ action:
+ type: string
+ pod:
+ type: string
+ dstMAC:
+ type: string
+ networkPolicy:
+ type: string
+ ttl:
+ type: integer
+ translatedSrcIP:
+ type: string
+ translatedDstIP:
+ type: string
+ tunnelDstIP:
+ type: string
+ capturedPacket:
+ properties:
+ srcIP:
+ type: string
+ dstIP:
+ type: string
+ length:
+ type: integer
+ ipHeader:
+ properties:
+ flags:
+ type: integer
+ protocol:
+ type: integer
+ ttl:
+ type: integer
+ type: object
+ ipv6Header:
+ properties:
+ hopLimit:
+ type: integer
+ nextHeader:
+ type: integer
+ type: object
+ transportHeader:
+ properties:
+ tcp:
+ properties:
+ dstPort:
+ type: integer
+ srcPort:
+ type: integer
+ flags:
+ type: integer
+ type: object
+ udp:
+ properties:
+ dstPort:
+ type: integer
+ srcPort:
+ type: integer
+ type: object
+ icmp:
+ properties:
+ id:
+ type: integer
+ sequence:
+ type: integer
+ type: object
+ type: object
+ type: object
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: traceflows
+ singular: traceflow
+ kind: Traceflow
+ shortNames:
+ - tf
+---
+# Source: antrea/templates/agent/clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-agent
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - nodes/status
+ verbs:
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - pods/status
+ verbs:
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - endpoints
+ - services
+ - namespaces
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - services/status
+ verbs:
+ - update
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - antreaagentinfos
+ verbs:
+ - get
+ - create
+ - update
+ - delete
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - networkpolicies
+ - appliedtogroups
+ - addressgroups
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - egressgroups
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - nodestatssummaries
+ verbs:
+ - create
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - networkpolicies/status
+ verbs:
+ - create
+ - get
+ - apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+ - apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+ # This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
+ # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will
+ # have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
+ # See https://github.com/kubernetes/kubernetes/pull/85375
+ # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
+ # the extension-apiserver-authentication role.
+ - apiGroups:
+ - ""
+ resourceNames:
+ - extension-apiserver-authentication
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ resourceNames:
+ - antrea-ca
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - traceflows
+ - traceflows/status
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - egresses
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - egresses/status
+ verbs:
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalippools
+ - ippools
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - ippools/status
+ verbs:
+ - update
+ - apiGroups:
+ - k8s.cni.cncf.io
+ resources:
+ - network-attachment-definitions
+ verbs:
+ - get
+ - list
+ - watch
+---
+# Source: antrea/templates/antctl/clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antctl
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - networkpolicies
+ - appliedtogroups
+ - addressgroups
+ verbs:
+ - get
+ - list
+ - apiGroups:
+ - stats.antrea.io
+ resources:
+ - networkpolicystats
+ - antreaclusternetworkpolicystats
+ - antreanetworkpolicystats
+ verbs:
+ - get
+ - list
+ - apiGroups:
+ - system.antrea.io
+ resources:
+ - controllerinfos
+ - agentinfos
+ verbs:
+ - get
+ - apiGroups:
+ - system.antrea.io
+ resources:
+ - supportbundles
+ verbs:
+ - get
+ - post
+ - apiGroups:
+ - system.antrea.io
+ resources:
+ - supportbundles/download
+ verbs:
+ - get
+ - nonResourceURLs:
+ - /agentinfo
+ - /addressgroups
+ - /appliedtogroups
+ - /loglevel
+ - /networkpolicies
+ - /ovsflows
+ - /ovstracing
+ - /podinterfaces
+ - /featuregates
+ verbs:
+ - get
+---
+# Source: antrea/templates/cluster-identity-reader/clusterrolebinding.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-cluster-identity-reader
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ resourceNames:
+ - antrea-cluster-identity
+ verbs:
+ - get
+---
+# Source: antrea/templates/controller/clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-controller
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - services
+ - namespaces
+ - configmaps
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - watch
+ - list
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - services/status
+ verbs:
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - networkpolicies
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+ - apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - get
+ - update
+ # This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
+ # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-controller) will
+ # have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
+ # See https://github.com/kubernetes/kubernetes/pull/85375
+ # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
+ # the extension-apiserver-authentication role.
+ - apiGroups:
+ - ""
+ resourceNames:
+ - extension-apiserver-authentication
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ resourceNames:
+ - antrea-ca
+ - antrea-cluster-identity
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - apiregistration.k8s.io
+ resources:
+ - apiservices
+ resourceNames:
+ - v1alpha1.stats.antrea.io
+ - v1beta1.system.antrea.io
+ - v1beta2.controlplane.antrea.io
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - apiregistration.k8s.io
+ resources:
+ - apiservices
+ resourceNames:
+ - v1beta1.networking.antrea.tanzu.vmware.com
+ - v1beta1.controlplane.antrea.tanzu.vmware.com
+ - v1alpha1.stats.antrea.tanzu.vmware.com
+ - v1beta1.system.antrea.tanzu.vmware.com
+ - v1beta2.controlplane.antrea.tanzu.vmware.com
+ verbs:
+ - delete
+ - apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - mutatingwebhookconfigurations
+ - validatingwebhookconfigurations
+ resourceNames:
+ # always give permissions for labelsmutator.antrea.io, even when the
+ # feature is disabled, to avoid errors in antrea-controller when updating
+ # the CA cert.
+ - labelsmutator.antrea.io
+ - crdmutator.antrea.io
+ - crdvalidator.antrea.io
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - antreacontrollerinfos
+ verbs:
+ - get
+ - create
+ - update
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - antreaagentinfos
+ verbs:
+ - list
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - clusternetworkpolicies
+ - networkpolicies
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - clusternetworkpolicies/status
+ - networkpolicies/status
+ verbs:
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - tiers
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - traceflows
+ - traceflows/status
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalentities
+ - clustergroups
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - clustergroups/status
+ verbs:
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - egresses
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalippools
+ - ippools
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalippools/status
+ - ippools/status
+ verbs:
+ - update
+ - apiGroups:
+ - apps
+ resources:
+ - statefulsets
+ verbs:
+ - get
+ - list
+ - watch
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
metadata:
+ name: aggregate-antrea-policies-edit
labels:
app: antrea
- name: antrea-config-29g6gtcctg
- namespace: kube-system
+ # Add these permissions to the "admin" and "edit" default roles.
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clusternetworkpolicies", "networkpolicies"]
+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
-apiVersion: v1
-kind: Secret
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: antrea-ipsec
- namespace: kube-system
-stringData:
- psk: changeme
-type: Opaque
+ name: aggregate-antrea-policies-view
+ labels:
+ app: antrea
+ # Add these permissions to the "view" default role.
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clusternetworkpolicies", "networkpolicies"]
+ verbs: ["get", "list", "watch"]
---
-apiVersion: v1
-kind: Service
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: aggregate-traceflows-edit
+ labels:
+ app: antrea
+ # Add these permissions to the "admin" and "edit" default roles.
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["traceflows"]
+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
+ name: aggregate-traceflows-view
+ labels:
+ app: antrea
+ # Add these permissions to the "view" default role.
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["traceflows"]
+ verbs: ["get", "list", "watch"]
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: aggregate-antrea-clustergroups-edit
+ labels:
+ app: antrea
+ # Add these permissions to the "admin" and "edit" default roles.
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clustergroups"]
+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: aggregate-antrea-clustergroups-view
+ labels:
+ app: antrea
+ # Add these permissions to the "view" default role.
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clustergroups"]
+ verbs: ["get", "list", "watch"]
+---
+# Source: antrea/templates/agent/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-agent
+ labels:
+ app: antrea
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: antrea-agent
+subjects:
+ - kind: ServiceAccount
+ name: antrea-agent
+ namespace: kube-system
+---
+# Source: antrea/templates/antctl/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app: antrea
+ name: antctl
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: antctl
+subjects:
+ - kind: ServiceAccount
+ name: antctl
+ namespace: kube-system
+---
+# Source: antrea/templates/controller/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-controller
labels:
app: antrea
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: antrea-controller
+subjects:
+ - kind: ServiceAccount
+ name: antrea-controller
+ namespace: kube-system
+---
+# Source: antrea/templates/controller/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
name: antrea
namespace: kube-system
+ labels:
+ app: antrea
spec:
ports:
- - port: 443
- protocol: TCP
- targetPort: api
+ - port: 443
+ protocol: TCP
+ targetPort: api
selector:
app: antrea
component: antrea-controller
---
+# Source: antrea/templates/agent/daemonset.yaml
apiVersion: apps/v1
-kind: Deployment
+kind: DaemonSet
metadata:
+ name: antrea-agent
+ namespace: kube-system
labels:
app: antrea
- component: antrea-controller
+ component: antrea-agent
+spec:
+ selector:
+ matchLabels:
+ app: antrea
+ component: antrea-agent
+ updateStrategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ annotations:
+ # Starting with v1.21, Kubernetes supports default container annotation.
+ # Using "kubectl logs/exec/attach/cp" doesn't have to specify "-c antrea-agent" when troubleshooting.
+ kubectl.kubernetes.io/default-container: antrea-agent
+ # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
+ # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
+ checksum/config: cd2d943645be405d6af5e8fa14fa9949ec82ac09efde547e6536fcd5b3013b5d
+ checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
+ labels:
+ app: antrea
+ component: antrea-agent
+ spec:
+ hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
+ priorityClassName: system-node-critical
+ nodeSelector:
+ kubernetes.io/os: linux
+ tolerations:
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoSchedule
+ operator: Exists
+ - effect: NoExecute
+ operator: Exists
+ serviceAccountName: antrea-agent
+ initContainers:
+ - name: install-cni
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 100m
+ command: ["install_cni"]
+ securityContext:
+ capabilities:
+ add:
+ # SYS_MODULE is required to load the OVS kernel module.
+ - SYS_MODULE
+ env:
+ # SKIP_CNI_BINARIES takes in values as a comma separated list of
+ # binaries that need to be skipped for installation, e.g. "portmap, bandwidth".
+ - name: SKIP_CNI_BINARIES
+ value: ""
+ volumeMounts:
+ - name: antrea-config
+ mountPath: /etc/antrea/antrea-cni.conflist
+ subPath: antrea-cni.conflist
+ readOnly: true
+ - name: host-cni-conf
+ mountPath: /host/etc/cni/net.d
+ - name: host-cni-bin
+ mountPath: /host/opt/cni/bin
+ # For loading the OVS kernel module.
+ - name: host-lib-modules
+ mountPath: /lib/modules
+ readOnly: true
+ # For changing the default permissions of the run directory.
+ - name: host-var-run-antrea
+ mountPath: /var/run/antrea
+ containers:
+ - name: antrea-agent
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ command: ["antrea-agent"]
+ # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).-
+ args:
+ - "--config=/etc/antrea/antrea-agent.conf"
+ - "--logtostderr=false"
+ - "--log_dir=/var/log/antrea"
+ - "--alsologtostderr"
+ - "--log_file_max_size=100"
+ - "--log_file_max_num=4"
+ env:
+ # Provide pod and node information for clusterinformation CRD.
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ # Pre-shared key for IPsec IKE.
+ - name: ANTREA_IPSEC_PSK
+ valueFrom:
+ secretKeyRef:
+ name: antrea-ipsec
+ key: psk
+ resources:
+ requests:
+ cpu: 200m
+ ports:
+ - containerPort: 10350
+ name: api
+ protocol: TCP
+ livenessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - container_liveness_probe agent
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ failureThreshold: 5
+ readinessProbe:
+ httpGet:
+ host: localhost
+ path: /readyz
+ port: api
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ # In large-scale clusters, it may take up to 40~50 seconds for the antrea-agent to reconnect to the antrea
+ # Service after the antrea-controller restarts. The antrea-agent shouldn't be reported as NotReady in this
+ # scenario, otherwise the DaemonSet controller would restart all agents at once, as opposed to performing a
+ # rolling update. Set failureThreshold to 8 so it can tolerate 70s of disconnection.
+ failureThreshold: 8
+ securityContext:
+ # antrea-agent needs to perform sysctl configuration.
+ privileged: true
+ volumeMounts:
+ - name: antrea-config
+ mountPath: /etc/antrea/antrea-agent.conf
+ subPath: antrea-agent.conf
+ readOnly: true
+ - name: host-var-run-antrea
+ mountPath: /var/run/antrea
+ - name: host-var-run-antrea
+ mountPath: /var/run/openvswitch
+ subPath: openvswitch
+ # host-local IPAM stores allocated IP addresses as files in /var/lib/cni/networks/$NETWORK_NAME.
+ # Mount a sub-directory of host-var-run-antrea to it for persistence of IP allocation.
+ - name: host-var-run-antrea
+ mountPath: /var/lib/cni
+ subPath: cni
+ # We need to mount both the /proc directory and the /var/run/netns directory so that
+ # antrea-agent can open the network namespace path when setting up Pod
+ # networking. Different container runtimes may use /proc or /var/run/netns when invoking
+ # the CNI commands. Docker uses /proc and containerd uses /var/run/netns.
+ - name: host-var-log-antrea
+ mountPath: /var/log/antrea
+ - name: host-proc
+ mountPath: /host/proc
+ readOnly: true
+ - name: host-var-run-netns
+ mountPath: /host/var/run/netns
+ readOnly: true
+ # When a container is created, a mount point for the network namespace is added under
+ # /var/run/netns on the host, which needs to be propagated to the antrea-agent container.
+ mountPropagation: HostToContainer
+ - name: xtables-lock
+ mountPath: /run/xtables.lock
+ - name: antrea-ovs
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 200m
+ command: ["start_ovs"]
+ args:
+ - "--log_file_max_size=100"
+ - "--log_file_max_num=4"
+ securityContext:
+ # capabilities required by OVS daemons
+ capabilities:
+ add:
+ - SYS_NICE
+ - NET_ADMIN
+ - SYS_ADMIN
+ - IPC_LOCK
+ livenessProbe:
+ exec:
+ # docker CRI doesn't honor timeoutSeconds, add "timeout" to the command as a workaround.
+ # https://github.com/kubernetes/kubernetes/issues/51901
+ command:
+ - /bin/sh
+ - -c
+ - timeout 10 container_liveness_probe ovs
+ initialDelaySeconds: 5
+ timeoutSeconds: 10
+ periodSeconds: 10
+ failureThreshold: 5
+ volumeMounts:
+ - name: host-var-run-antrea
+ mountPath: /var/run/openvswitch
+ subPath: openvswitch
+ - name: host-var-log-antrea
+ mountPath: /var/log/openvswitch
+ subPath: openvswitch
+ - name: antrea-ipsec
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 50m
+ command: ["start_ovs_ipsec"]
+ livenessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - timeout 5 container_liveness_probe ovs-ipsec
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ securityContext:
+ capabilities:
+ add:
+ - NET_ADMIN
+ volumeMounts:
+ - name: host-var-run-antrea
+ mountPath: /var/run/openvswitch
+ subPath: openvswitch
+ - name: host-var-log-antrea
+ mountPath: /var/log/openvswitch
+ subPath: openvswitch
+ - name: host-var-log-antrea
+ mountPath: /var/log/strongswan
+ subPath: strongswan
+ volumes:
+ - name: antrea-config
+ configMap:
+ name: antrea-config
+ - name: host-cni-conf
+ hostPath:
+ path: /etc/cni/net.d
+ - name: host-cni-bin
+ hostPath:
+ path: /opt/cni/bin
+ - name: host-proc
+ hostPath:
+ path: /proc
+ - name: host-var-run-netns
+ hostPath:
+ path: /var/run/netns
+ - name: host-var-run-antrea
+ hostPath:
+ path: /var/run/antrea
+ # we use subPath to create run subdirectories for different component (e.g. OVS) and
+ # subPath requires the base volume to exist
+ type: DirectoryOrCreate
+ - name: host-var-log-antrea
+ hostPath:
+ path: /var/log/antrea
+ # we use subPath to create logging subdirectories for different component (e.g. OVS)
+ type: DirectoryOrCreate
+ - name: host-lib-modules
+ hostPath:
+ path: /lib/modules
+ - name: xtables-lock
+ hostPath:
+ path: /run/xtables.lock
+ type: FileOrCreate
+---
+# Source: antrea/templates/controller/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
name: antrea-controller
namespace: kube-system
+ labels:
+ app: antrea
+ component: antrea-controller
spec:
- replicas: 1
+ strategy:
+ # Ensure the existing Pod is stopped before the new one is created.
+ type: Recreate
selector:
matchLabels:
app: antrea
component: antrea-controller
- strategy:
- type: Recreate
+ replicas: 1
template:
metadata:
+ annotations:
+ # Automatically restart Pod if the ConfigMap changes
+ # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
+ checksum/config: cd2d943645be405d6af5e8fa14fa9949ec82ac09efde547e6536fcd5b3013b5d
labels:
app: antrea
component: antrea-controller
spec:
- containers:
- - args:
- - --config
- - /etc/antrea/antrea-controller.conf
- - --logtostderr=false
- - --log_dir=/var/log/antrea
- - --alsologtostderr
- - --log_file_max_size=100
- - --log_file_max_num=4
- - --v=0
- command:
- - antrea-controller
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: SERVICEACCOUNT_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.serviceAccountName
- - name: ANTREA_CONFIG_MAP_NAME
- value: antrea-config-29g6gtcctg
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- livenessProbe:
- failureThreshold: 5
- httpGet:
- host: localhost
- path: /livez
- port: api
- scheme: HTTPS
- periodSeconds: 10
- timeoutSeconds: 5
- name: antrea-controller
- ports:
- - containerPort: 10349
- name: api
- protocol: TCP
- readinessProbe:
- failureThreshold: 5
- httpGet:
- host: localhost
- path: /readyz
- port: api
- scheme: HTTPS
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 5
- resources:
- requests:
- cpu: 200m
- volumeMounts:
- - mountPath: /etc/antrea/antrea-controller.conf
- name: antrea-config
- readOnly: true
- subPath: antrea-controller.conf
- - mountPath: /var/run/antrea/antrea-controller-tls
- name: antrea-controller-tls
- - mountPath: /var/log/antrea
- name: host-var-log-antrea
- hostNetwork: true
nodeSelector:
kubernetes.io/os: linux
+ hostNetwork: true
priorityClassName: system-cluster-critical
- serviceAccountName: antrea-controller
tolerations:
- - key: CriticalAddonsOnly
- operator: Exists
- - effect: NoSchedule
- key: node-role.kubernetes.io/master
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/master
+ serviceAccountName: antrea-controller
+ containers:
+ - name: antrea-controller
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 200m
+ command: ["antrea-controller"]
+ # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).
+ args:
+ - "--config=/etc/antrea/antrea-controller.conf"
+ - "--logtostderr=false"
+ - "--log_dir=/var/log/antrea"
+ - "--alsologtostderr"
+ - "--log_file_max_size=100"
+ - "--log_file_max_num=4"
+ env:
+ # Provide pod and node information for clusterinformation CRD.
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ # Provide ServiceAccount name for validation webhook.
+ - name: SERVICEACCOUNT_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: ANTREA_CONFIG_MAP_NAME
+ value: antrea-config
+ ports:
+ - containerPort: 10349
+ name: api
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ host: localhost
+ path: /readyz
+ port: api
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ failureThreshold: 5
+ livenessProbe:
+ httpGet:
+ host: localhost
+ path: /livez
+ port: api
+ scheme: HTTPS
+ timeoutSeconds: 5
+ periodSeconds: 10
+ failureThreshold: 5
+ volumeMounts:
+ - name: antrea-config
+ mountPath: /etc/antrea/antrea-controller.conf
+ subPath: antrea-controller.conf
+ readOnly: true
+ - name: antrea-controller-tls
+ mountPath: /var/run/antrea/antrea-controller-tls
+ - name: host-var-log-antrea
+ mountPath: /var/log/antrea
volumes:
- - configMap:
- name: antrea-config-29g6gtcctg
- name: antrea-config
- - name: antrea-controller-tls
- secret:
- defaultMode: 256
- optional: true
- secretName: antrea-controller-tls
- - hostPath:
- path: /var/log/antrea
- type: DirectoryOrCreate
- name: host-var-log-antrea
+ - name: antrea-config
+ configMap:
+ name: antrea-config
+ # Make it optional as we only read it when selfSignedCert=false.
+ - name: antrea-controller-tls
+ secret:
+ secretName: antrea-controller-tls
+ defaultMode: 0400
+ optional: true
+ - name: host-var-log-antrea
+ hostPath:
+ path: /var/log/antrea
+ type: DirectoryOrCreate
---
+# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
+ name: v1beta2.controlplane.antrea.io
labels:
app: antrea
- name: v1alpha1.stats.antrea.io
spec:
- group: stats.antrea.io
+ group: controlplane.antrea.io
groupPriorityMinimum: 100
+ version: v1beta2
+ versionPriority: 100
service:
name: antrea
namespace: kube-system
- version: v1alpha1
- versionPriority: 100
---
+# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
+ name: v1beta1.system.antrea.io
labels:
app: antrea
- name: v1beta1.system.antrea.io
spec:
group: system.antrea.io
groupPriorityMinimum: 100
+ version: v1beta1
+ versionPriority: 100
service:
name: antrea
namespace: kube-system
- version: v1beta1
- versionPriority: 100
---
+# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
+ name: v1alpha1.stats.antrea.io
labels:
app: antrea
- name: v1beta2.controlplane.antrea.io
spec:
- group: controlplane.antrea.io
+ group: stats.antrea.io
groupPriorityMinimum: 100
+ version: v1alpha1
+ versionPriority: 100
service:
name: antrea
namespace: kube-system
- version: v1beta2
- versionPriority: 100
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- labels:
- app: antrea
- component: antrea-agent
- name: antrea-agent
- namespace: kube-system
-spec:
- selector:
- matchLabels:
- app: antrea
- component: antrea-agent
- template:
- metadata:
- annotations:
- kubectl.kubernetes.io/default-container: antrea-agent
- labels:
- app: antrea
- component: antrea-agent
- spec:
- containers:
- - command:
- - start_ovs_ipsec
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- livenessProbe:
- exec:
- command:
- - /bin/sh
- - -c
- - timeout 5 container_liveness_probe ovs-ipsec
- initialDelaySeconds: 5
- periodSeconds: 5
- name: antrea-ipsec
- resources:
- requests:
- cpu: 50m
- securityContext:
- capabilities:
- add:
- - NET_ADMIN
- volumeMounts:
- - mountPath: /var/run/openvswitch
- name: host-var-run-antrea
- subPath: openvswitch
- - mountPath: /var/log/openvswitch
- name: host-var-log-antrea
- subPath: openvswitch
- - mountPath: /var/log/strongswan
- name: host-var-log-antrea
- subPath: strongswan
- - args:
- - --config
- - /etc/antrea/antrea-agent.conf
- - --logtostderr=false
- - --log_dir=/var/log/antrea
- - --alsologtostderr
- - --log_file_max_size=100
- - --log_file_max_num=4
- - --v=0
- command:
- - antrea-agent
- env:
- - name: ANTREA_IPSEC_PSK
- valueFrom:
- secretKeyRef:
- key: psk
- name: antrea-ipsec
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- livenessProbe:
- exec:
- command:
- - /bin/sh
- - -c
- - container_liveness_probe agent
- failureThreshold: 5
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 5
- name: antrea-agent
- ports:
- - containerPort: 10350
- name: api
- protocol: TCP
- readinessProbe:
- failureThreshold: 8
- httpGet:
- host: localhost
- path: /readyz
- port: api
- scheme: HTTPS
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 5
- resources:
- requests:
- cpu: 200m
- securityContext:
- privileged: true
- volumeMounts:
- - mountPath: /etc/antrea/antrea-agent.conf
- name: antrea-config
- readOnly: true
- subPath: antrea-agent.conf
- - mountPath: /var/run/antrea
- name: host-var-run-antrea
- - mountPath: /var/run/openvswitch
- name: host-var-run-antrea
- subPath: openvswitch
- - mountPath: /var/lib/cni
- name: host-var-run-antrea
- subPath: cni
- - mountPath: /var/log/antrea
- name: host-var-log-antrea
- - mountPath: /host/proc
- name: host-proc
- readOnly: true
- - mountPath: /host/var/run/netns
- mountPropagation: HostToContainer
- name: host-var-run-netns
- readOnly: true
- - mountPath: /run/xtables.lock
- name: xtables-lock
- - args:
- - --log_file_max_size=100
- - --log_file_max_num=4
- command:
- - start_ovs
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- livenessProbe:
- exec:
- command:
- - /bin/sh
- - -c
- - timeout 10 container_liveness_probe ovs
- failureThreshold: 5
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 10
- name: antrea-ovs
- resources:
- requests:
- cpu: 200m
- securityContext:
- capabilities:
- add:
- - SYS_NICE
- - NET_ADMIN
- - SYS_ADMIN
- - IPC_LOCK
- volumeMounts:
- - mountPath: /var/run/openvswitch
- name: host-var-run-antrea
- subPath: openvswitch
- - mountPath: /var/log/openvswitch
- name: host-var-log-antrea
- subPath: openvswitch
- dnsPolicy: ClusterFirstWithHostNet
- hostNetwork: true
- initContainers:
- - command:
- - install_cni
- env:
- - name: SKIP_CNI_BINARIES
- value: ""
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- name: install-cni
- resources:
- requests:
- cpu: 100m
- securityContext:
- capabilities:
- add:
- - SYS_MODULE
- volumeMounts:
- - mountPath: /etc/antrea/antrea-cni.conflist
- name: antrea-config
- readOnly: true
- subPath: antrea-cni.conflist
- - mountPath: /host/etc/cni/net.d
- name: host-cni-conf
- - mountPath: /host/opt/cni/bin
- name: host-cni-bin
- - mountPath: /lib/modules
- name: host-lib-modules
- readOnly: true
- - mountPath: /var/run/antrea
- name: host-var-run-antrea
- nodeSelector:
- kubernetes.io/os: linux
- priorityClassName: system-node-critical
- serviceAccountName: antrea-agent
- tolerations:
- - key: CriticalAddonsOnly
- operator: Exists
- - effect: NoSchedule
- operator: Exists
- - effect: NoExecute
- operator: Exists
- volumes:
- - configMap:
- name: antrea-config-29g6gtcctg
- name: antrea-config
- - hostPath:
- path: /etc/cni/net.d
- name: host-cni-conf
- - hostPath:
- path: /opt/cni/bin
- name: host-cni-bin
- - hostPath:
- path: /proc
- name: host-proc
- - hostPath:
- path: /var/run/netns
- name: host-var-run-netns
- - hostPath:
- path: /var/run/antrea
- type: DirectoryOrCreate
- name: host-var-run-antrea
- - hostPath:
- path: /var/log/antrea
- type: DirectoryOrCreate
- name: host-var-log-antrea
- - hostPath:
- path: /lib/modules
- name: host-lib-modules
- - hostPath:
- path: /run/xtables.lock
- type: FileOrCreate
- name: xtables-lock
- updateStrategy:
- type: RollingUpdate
---
+# Source: antrea/templates/webhooks/mutating/crdmutator.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
+ name: "crdmutator.antrea.io"
labels:
app: antrea
- name: crdmutator.antrea.io
webhooks:
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /mutate/acnp
- name: acnpmutator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - clusternetworkpolicies
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /mutate/anp
- name: anpmutator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - networkpolicies
- scope: Namespaced
- sideEffects: None
- timeoutSeconds: 5
+ - name: "acnpmutator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/mutate/acnp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["clusternetworkpolicies"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "anpmutator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/mutate/anp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["networkpolicies"]
+ scope: "Namespaced"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
---
+# Source: antrea/templates/webhooks/validating/crdvalidator.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
+ name: "crdvalidator.antrea.io"
labels:
app: antrea
- name: crdvalidator.antrea.io
webhooks:
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/tier
- name: tiervalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- - DELETE
- resources:
- - tiers
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/acnp
- name: acnpvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - clusternetworkpolicies
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/anp
- name: anpvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - networkpolicies
- scope: Namespaced
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/clustergroup
- name: clustergroupvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha3
- - v1alpha2
- operations:
- - CREATE
- - UPDATE
- resources:
- - clustergroups
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/externalippool
- name: externalippoolvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha2
- operations:
- - UPDATE
- resources:
- - externalippools
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/egress
- name: egressvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha2
- operations:
- - CREATE
- - UPDATE
- resources:
- - egresses
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/ippool
- name: ippoolvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha2
- operations:
- - CREATE
- - UPDATE
- - DELETE
- resources:
- - ippools
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
+ - name: "tiervalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/tier"
+ rules:
+ - operations: ["CREATE", "UPDATE", "DELETE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["tiers"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "acnpvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/acnp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["clusternetworkpolicies"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "anpvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/anp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["networkpolicies"]
+ scope: "Namespaced"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "clustergroupvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/clustergroup"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha3", "v1alpha2"]
+ resources: ["clustergroups"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "externalippoolvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/externalippool"
+ rules:
+ - operations: ["UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha2"]
+ resources: ["externalippools"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "egressvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/egress"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha2"]
+ resources: ["egresses"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "ippoolvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/ippool"
+ rules:
+ - operations: ["CREATE", "UPDATE", "DELETE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha2"]
+ resources: ["ippools"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
index 9501d9275ef..f58da9f625e 100644
--- a/build/yamls/antrea.yml
+++ b/build/yamls/antrea.yml
@@ -1,2742 +1,39 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+---
+# Source: antrea/templates/agent/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
metadata:
+ name: antrea-agent
+ namespace: kube-system
labels:
app: antrea
- name: antreaagentinfos.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: AntreaAgentInfo
- plural: antreaagentinfos
- shortNames:
- - aai
- singular: antreaagentinfo
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Health status of this Agent
- jsonPath: .agentConditions[?(@.type=='AgentHealthy')].status
- name: Healthy
- type: string
- - description: Last time the Healthy Condition was updated
- jsonPath: .agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime
- name: Last Heartbeat
- type: date
- - description: Version of this Agent
- jsonPath: .version
- name: Version
- priority: 1
- type: string
- - description: Node on which this Agent is running
- jsonPath: .nodeRef.name
- name: Node
- priority: 1
- type: string
- - description: Number of local Pods managed by this Agent
- jsonPath: .localPodNum
- name: Num Pods
- priority: 2
- type: integer
- - description: Subnets used by this Agent for Pod IPAM
- jsonPath: .nodeSubnets
- name: Subnets
- priority: 2
- type: string
- name: v1beta1
- schema:
- openAPIV3Schema:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- served: true
- storage: true
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+# Source: antrea/templates/antctl/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
metadata:
+ name: antctl
+ namespace: kube-system
labels:
app: antrea
- name: antreacontrollerinfos.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: AntreaControllerInfo
- plural: antreacontrollerinfos
- shortNames:
- - aci
- singular: antreacontrollerinfo
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Health status of the Controller
- jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].status
- name: Healthy
- type: string
- - description: Last time the Healthy Condition was updated
- jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime
- name: Last Heartbeat
- type: date
- - description: Version of the Controller
- jsonPath: .version
- name: Version
- priority: 1
- type: string
- - description: Number of Agents connected to the Controller
- jsonPath: .connectedAgentNum
- name: Connected Agents
- priority: 1
- type: integer
- - description: Node on which the Controller is running
- jsonPath: .nodeRef.name
- name: Node
- priority: 1
- type: string
- - description: Number of Network Policies computed by Controller
- jsonPath: .networkPolicyControllerInfo.networkPolicyNum
- name: Num Network Policies
- priority: 2
- type: integer
- name: v1beta1
- schema:
- openAPIV3Schema:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- served: true
- storage: true
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+# Source: antrea/templates/controller/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
metadata:
+ name: antrea-controller
+ namespace: kube-system
labels:
app: antrea
- name: clustergroups.crd.antrea.io
-spec:
- conversion:
- strategy: Webhook
- webhook:
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /convert/clustergroup
- conversionReviewVersions:
- - v1
- - v1beta1
- group: crd.antrea.io
- names:
- kind: ClusterGroup
- plural: clustergroups
- shortNames:
- - cg
- singular: clustergroup
- scope: Cluster
- versions:
- - name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- childGroups:
- items:
- type: string
- type: array
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- ipBlocks:
- items:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- type: array
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceReference:
- properties:
- name:
- type: string
- namespace:
- type: string
- type: object
- type: object
- status:
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- type: string
- status:
- type: string
- type:
- type: string
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: false
- - name: v1alpha3
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- childGroups:
- items:
- type: string
- type: array
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- ipBlocks:
- items:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- type: array
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceReference:
- properties:
- name:
- type: string
- namespace:
- type: string
- type: object
- type: object
- status:
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- type: string
- status:
- type: string
- type:
- type: string
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
+# Source: antrea/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
metadata:
+ name: antrea-config
+ namespace: kube-system
labels:
app: antrea
- name: clusternetworkpolicies.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: ClusterNetworkPolicy
- plural: clusternetworkpolicies
- shortNames:
- - acnp
- singular: clusternetworkpolicy
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The Tier to which this ClusterNetworkPolicy belongs to.
- jsonPath: .spec.tier
- name: Tier
- type: string
- - description: The Priority of this ClusterNetworkPolicy relative to other policies.
- format: float
- jsonPath: .spec.priority
- name: Priority
- type: number
- - description: The total number of Nodes that should realize the NetworkPolicy.
- format: int32
- jsonPath: .status.desiredNodesRealized
- name: Desired Nodes
- type: number
- - description: The number of Nodes that have realized the NetworkPolicy.
- format: int32
- jsonPath: .status.currentNodesRealized
- name: Current Nodes
- type: number
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- appliedTo:
- items:
- properties:
- group:
- type: string
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- egress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- group:
- type: string
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- to:
- items:
- properties:
- fqdn:
- type: string
- group:
- type: string
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- namespaces:
- properties:
- match:
- type: string
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- toServices:
- items:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- ingress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- group:
- type: string
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- from:
- items:
- properties:
- group:
- type: string
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- namespaces:
- properties:
- match:
- enum:
- - Self
- type: string
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- serviceAccount:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- type: array
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- priority:
- format: float
- maximum: 10000
- minimum: 1
- type: number
- tier:
- type: string
- required:
- - priority
- type: object
- status:
- properties:
- currentNodesRealized:
- type: integer
- desiredNodesRealized:
- type: integer
- observedGeneration:
- type: integer
- phase:
- type: string
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: egresses.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: Egress
- plural: egresses
- shortNames:
- - eg
- singular: egress
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Specifies the SNAT IP address for the selected workloads.
- jsonPath: .spec.egressIP
- name: EgressIP
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- - description: The Owner Node of egress IP
- jsonPath: .status.egressNode
- name: Node
- type: string
- name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- anyOf:
- - required:
- - egressIP
- - required:
- - externalIPPool
- properties:
- appliedTo:
- properties:
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- egressIP:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- externalIPPool:
- type: string
- required:
- - appliedTo
- type: object
- status:
- properties:
- egressNode:
- type: string
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: externalentities.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: ExternalEntity
- plural: externalentities
- shortNames:
- - ee
- singular: externalentity
- scope: Namespaced
- versions:
- - name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- endpoints:
- items:
- properties:
- ip:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- name:
- type: string
- type: object
- type: array
- externalNode:
- type: string
- ports:
- items:
- properties:
- name:
- type: string
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: true
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- type: object
- served: false
- storage: false
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: externalippools.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: ExternalIPPool
- plural: externalippools
- shortNames:
- - eip
- singular: externalippool
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The number of total IPs
- jsonPath: .status.usage.total
- name: Total
- type: integer
- - description: The number of allocated IPs
- jsonPath: .status.usage.used
- name: Used
- type: integer
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- ipRanges:
- items:
- oneOf:
- - required:
- - cidr
- - required:
- - start
- - end
- properties:
- cidr:
- format: cidr
- type: string
- end:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- start:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- type: object
- type: array
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- required:
- - ipRanges
- - nodeSelector
- type: object
- status:
- properties:
- usage:
- properties:
- total:
- type: integer
- used:
- type: integer
- type: object
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: ippools.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: IPPool
- plural: ippools
- shortNames:
- - ipp
- singular: ippool
- scope: Cluster
- versions:
- - name: v1alpha2
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- ipRanges:
- items:
- oneOf:
- - required:
- - cidr
- - gateway
- - prefixLength
- - required:
- - start
- - end
- - gateway
- - prefixLength
- properties:
- cidr:
- format: cidr
- type: string
- end:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- gateway:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- prefixLength:
- type: integer
- start:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- vlan:
- maximum: 4094
- minimum: 0
- type: integer
- type: object
- type: array
- ipVersion:
- type: integer
- required:
- - ipVersion
- - ipRanges
- type: object
- status:
- properties:
- ipAddresses:
- items:
- properties:
- ipAddress:
- type: string
- owner:
- properties:
- pod:
- properties:
- containerID:
- type: string
- ifName:
- type: string
- name:
- type: string
- namespace:
- type: string
- type: object
- statefulSet:
- properties:
- index:
- type: integer
- name:
- type: string
- namespace:
- type: string
- type: object
- type: object
- phase:
- type: string
- type: object
- type: array
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: networkpolicies.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: NetworkPolicy
- plural: networkpolicies
- shortNames:
- - anp
- singular: networkpolicy
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: The Tier to which this Antrea NetworkPolicy belongs to.
- jsonPath: .spec.tier
- name: Tier
- type: string
- - description: The Priority of this Antrea NetworkPolicy relative to other policies.
- format: float
- jsonPath: .spec.priority
- name: Priority
- type: number
- - description: The total number of Nodes that should realize the NetworkPolicy.
- format: int32
- jsonPath: .status.desiredNodesRealized
- name: Desired Nodes
- type: number
- - description: The number of Nodes that have realized the NetworkPolicy.
- format: int32
- jsonPath: .status.currentNodesRealized
- name: Current Nodes
- type: number
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- appliedTo:
- items:
- properties:
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- egress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- to:
- items:
- properties:
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- fqdn:
- type: string
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- toServices:
- items:
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- ingress:
- items:
- properties:
- action:
- enum:
- - Allow
- - Drop
- - Reject
- - Pass
- type: string
- appliedTo:
- items:
- properties:
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- enableLogging:
- type: boolean
- from:
- items:
- properties:
- externalEntitySelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- ipBlock:
- properties:
- cidr:
- format: cidr
- type: string
- type: object
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- nodeSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- podSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- name:
- type: string
- ports:
- items:
- properties:
- endPort:
- type: integer
- port:
- x-kubernetes-int-or-string: true
- protocol:
- enum:
- - TCP
- - UDP
- - SCTP
- type: string
- type: object
- type: array
- required:
- - action
- type: object
- type: array
- priority:
- format: float
- maximum: 10000
- minimum: 1
- type: number
- tier:
- type: string
- required:
- - priority
- type: object
- status:
- properties:
- currentNodesRealized:
- type: integer
- desiredNodesRealized:
- type: integer
- observedGeneration:
- type: integer
- phase:
- type: string
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: tiers.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: Tier
- plural: tiers
- shortNames:
- - tr
- singular: tier
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The Priority of this Tier relative to other Tiers.
- jsonPath: .spec.priority
- name: Priority
- type: integer
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- description:
- type: string
- priority:
- maximum: 255
- minimum: 0
- type: integer
- required:
- - priority
- type: object
- type: object
- served: true
- storage: true
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- labels:
- app: antrea
- name: traceflows.crd.antrea.io
-spec:
- group: crd.antrea.io
- names:
- kind: Traceflow
- plural: traceflows
- shortNames:
- - tf
- singular: traceflow
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: The phase of the Traceflow.
- jsonPath: .status.phase
- name: Phase
- type: string
- - description: The name of the source Pod.
- jsonPath: .spec.source.pod
- name: Source-Pod
- priority: 10
- type: string
- - description: The name of the destination Pod.
- jsonPath: .spec.destination.pod
- name: Destination-Pod
- priority: 10
- type: string
- - description: The IP address of the destination.
- jsonPath: .spec.destination.ip
- name: Destination-IP
- priority: 10
- type: string
- - description: Trace live traffic.
- jsonPath: .spec.liveTraffic
- name: Live-Traffic
- priority: 10
- type: boolean
- - description: Capture only the dropped packet.
- jsonPath: .spec.droppedOnly
- name: Dropped-Only
- priority: 10
- type: boolean
- - description: Timeout in seconds.
- jsonPath: .spec.timeout
- name: Timeout
- priority: 10
- type: integer
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- destination:
- properties:
- ip:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- namespace:
- type: string
- pod:
- type: string
- service:
- type: string
- type: object
- droppedOnly:
- type: boolean
- liveTraffic:
- type: boolean
- packet:
- properties:
- ipHeader:
- properties:
- flags:
- type: integer
- protocol:
- type: integer
- srcIP:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- ttl:
- type: integer
- type: object
- ipv6Header:
- properties:
- hopLimit:
- type: integer
- nextHeader:
- type: integer
- srcIP:
- format: ipv6
- type: string
- type: object
- transportHeader:
- properties:
- icmp:
- properties:
- id:
- type: integer
- sequence:
- type: integer
- type: object
- tcp:
- properties:
- dstPort:
- type: integer
- flags:
- type: integer
- srcPort:
- type: integer
- type: object
- udp:
- properties:
- dstPort:
- type: integer
- srcPort:
- type: integer
- type: object
- type: object
- type: object
- source:
- properties:
- ip:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- namespace:
- type: string
- pod:
- type: string
- type: object
- timeout:
- type: integer
- type: object
- status:
- properties:
- capturedPacket:
- properties:
- dstIP:
- type: string
- ipHeader:
- properties:
- flags:
- type: integer
- protocol:
- type: integer
- ttl:
- type: integer
- type: object
- ipv6Header:
- properties:
- hopLimit:
- type: integer
- nextHeader:
- type: integer
- type: object
- length:
- type: integer
- srcIP:
- type: string
- transportHeader:
- properties:
- icmp:
- properties:
- id:
- type: integer
- sequence:
- type: integer
- type: object
- tcp:
- properties:
- dstPort:
- type: integer
- flags:
- type: integer
- srcPort:
- type: integer
- type: object
- udp:
- properties:
- dstPort:
- type: integer
- srcPort:
- type: integer
- type: object
- type: object
- type: object
- dataplaneTag:
- type: integer
- phase:
- type: string
- reason:
- type: string
- results:
- items:
- properties:
- node:
- type: string
- observations:
- items:
- properties:
- action:
- type: string
- component:
- type: string
- componentInfo:
- type: string
- dstMAC:
- type: string
- networkPolicy:
- type: string
- pod:
- type: string
- translatedDstIP:
- type: string
- translatedSrcIP:
- type: string
- ttl:
- type: integer
- tunnelDstIP:
- type: string
- type: object
- type: array
- role:
- type: string
- timestamp:
- type: integer
- type: object
- type: array
- startTime:
- type: string
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app: antrea
- name: antctl
- namespace: kube-system
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app: antrea
- name: antrea-agent
- namespace: kube-system
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app: antrea
- name: antrea-controller
- namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- name: aggregate-antrea-clustergroups-edit
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clustergroups
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- name: aggregate-antrea-clustergroups-view
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clustergroups
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- name: aggregate-antrea-policies-edit
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies
- - networkpolicies
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- name: aggregate-antrea-policies-view
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies
- - networkpolicies
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- name: aggregate-traceflows-edit
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- name: aggregate-traceflows-view
-rules:
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antctl
-rules:
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - networkpolicies
- - appliedtogroups
- - addressgroups
- verbs:
- - get
- - list
-- apiGroups:
- - stats.antrea.io
- resources:
- - networkpolicystats
- - antreaclusternetworkpolicystats
- - antreanetworkpolicystats
- verbs:
- - get
- - list
-- apiGroups:
- - system.antrea.io
- resources:
- - controllerinfos
- - agentinfos
- verbs:
- - get
-- apiGroups:
- - system.antrea.io
- resources:
- - supportbundles
- verbs:
- - get
- - post
-- apiGroups:
- - system.antrea.io
- resources:
- - supportbundles/download
- verbs:
- - get
-- nonResourceURLs:
- - /agentinfo
- - /addressgroups
- - /appliedtogroups
- - /loglevel
- - /networkpolicies
- - /ovsflows
- - /ovstracing
- - /podinterfaces
- - /featuregates
- verbs:
- - get
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antrea-agent
-rules:
-- apiGroups:
- - ""
- resources:
- - nodes
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - nodes/status
- verbs:
- - patch
-- apiGroups:
- - ""
- resources:
- - pods
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - pods/status
- verbs:
- - patch
-- apiGroups:
- - ""
- resources:
- - endpoints
- - services
- - namespaces
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - services/status
- verbs:
- - update
-- apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - antreaagentinfos
- verbs:
- - get
- - create
- - update
- - delete
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - networkpolicies
- - appliedtogroups
- - addressgroups
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - egressgroups
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - nodestatssummaries
- verbs:
- - create
-- apiGroups:
- - controlplane.antrea.io
- resources:
- - networkpolicies/status
- verbs:
- - create
- - get
-- apiGroups:
- - authentication.k8s.io
- resources:
- - tokenreviews
- verbs:
- - create
-- apiGroups:
- - authorization.k8s.io
- resources:
- - subjectaccessreviews
- verbs:
- - create
-- apiGroups:
- - ""
- resourceNames:
- - extension-apiserver-authentication
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ""
- resourceNames:
- - antrea-ca
- resources:
- - configmaps
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- - traceflows/status
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - egresses
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - egresses/status
- verbs:
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalippools
- - ippools
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - ippools/status
- verbs:
- - update
-- apiGroups:
- - k8s.cni.cncf.io
- resources:
- - network-attachment-definitions
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antrea-cluster-identity-reader
-rules:
-- apiGroups:
- - ""
- resourceNames:
- - antrea-cluster-identity
- resources:
- - configmaps
- verbs:
- - get
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: antrea
- name: antrea-controller
-rules:
-- apiGroups:
- - ""
- resources:
- - pods
- - services
- - namespaces
- - configmaps
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ""
- resources:
- - nodes
- verbs:
- - get
- - watch
- - list
- - patch
-- apiGroups:
- - ""
- resources:
- - services/status
- verbs:
- - update
-- apiGroups:
- - networking.k8s.io
- resources:
- - networkpolicies
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - authentication.k8s.io
- resources:
- - tokenreviews
- verbs:
- - create
-- apiGroups:
- - authorization.k8s.io
- resources:
- - subjectaccessreviews
- verbs:
- - create
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - get
- - update
-- apiGroups:
- - ""
- resourceNames:
- - extension-apiserver-authentication
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ""
- resourceNames:
- - antrea-ca
- - antrea-cluster-identity
- resources:
- - configmaps
- verbs:
- - get
- - update
-- apiGroups:
- - ""
- resources:
- - configmaps
- verbs:
- - create
-- apiGroups:
- - apiregistration.k8s.io
- resourceNames:
- - v1alpha1.stats.antrea.io
- - v1beta1.system.antrea.io
- - v1beta2.controlplane.antrea.io
- resources:
- - apiservices
- verbs:
- - get
- - update
-- apiGroups:
- - apiregistration.k8s.io
- resourceNames:
- - v1beta1.networking.antrea.tanzu.vmware.com
- - v1beta1.controlplane.antrea.tanzu.vmware.com
- - v1alpha1.stats.antrea.tanzu.vmware.com
- - v1beta1.system.antrea.tanzu.vmware.com
- - v1beta2.controlplane.antrea.tanzu.vmware.com
- resources:
- - apiservices
- verbs:
- - delete
-- apiGroups:
- - admissionregistration.k8s.io
- resourceNames:
- - labelsmutator.antrea.io
- - crdmutator.antrea.io
- - crdvalidator.antrea.io
- resources:
- - mutatingwebhookconfigurations
- - validatingwebhookconfigurations
- verbs:
- - get
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - antreacontrollerinfos
- verbs:
- - get
- - create
- - update
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - antreaagentinfos
- verbs:
- - list
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies
- - networkpolicies
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - clusternetworkpolicies/status
- - networkpolicies/status
- verbs:
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - tiers
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - traceflows
- - traceflows/status
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalentities
- - clustergroups
- verbs:
- - get
- - watch
- - list
- - update
- - patch
- - create
- - delete
-- apiGroups:
- - crd.antrea.io
- resources:
- - clustergroups/status
- verbs:
- - update
-- apiGroups:
- - crd.antrea.io
- resources:
- - egresses
- verbs:
- - get
- - watch
- - list
- - update
- - patch
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalippools
- - ippools
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - crd.antrea.io
- resources:
- - externalippools/status
- - ippools/status
- verbs:
- - update
-- apiGroups:
- - apps
- resources:
- - statefulsets
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: antrea
- name: antctl
- namespace: kube-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: antctl
-subjects:
-- kind: ServiceAccount
- name: antctl
- namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: antrea
- name: antrea-agent
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: antrea-agent
-subjects:
-- kind: ServiceAccount
- name: antrea-agent
- namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: antrea
- name: antrea-controller
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: antrea-controller
-subjects:
-- kind: ServiceAccount
- name: antrea-controller
- namespace: kube-system
----
-apiVersion: v1
data:
antrea-agent.conf: |
# FeatureGates is a map of feature names to bools that enable or disable experimental features.
@@ -2790,19 +87,18 @@ data:
# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
- #ovsBridge: br-int
+ ovsBridge: "br-int"
# Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
# - system
# - netdev
# 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
- # OVS in userspace mode (not fully supported yet). Userspace mode requires the tun device driver to
- # be available.
+ # OVS in userspace mode. Userspace mode requires the tun device driver to be available.
#ovsDatapathType: system
# Name of the interface antrea-agent will create and use for host <--> pod communication.
# Make sure it doesn't conflict with your existing interfaces.
- #hostGateway: antrea-gw0
+ hostGateway: "antrea-gw0"
# Determines how traffic is encapsulated. It has the following options:
# encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network
@@ -2814,14 +110,14 @@ data:
# networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod
# IPAM and connectivity to the primary CNI.
#
- #trafficEncapMode: encap
+ trafficEncapMode: "encap"
# Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network.
# This option is for the noEncap traffic mode only, and the default value is false. In the noEncap
# mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to
# the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never
# performs SNAT and this option will be ignored; for other modes it must be set to false.
- #noSNAT: false
+ noSNAT: false
# Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode,
# this option will not take effect. Supported values:
@@ -2830,7 +126,7 @@ data:
# - gre
# - stt
# Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters).
- #tunnelType: geneve
+ tunnelType: "geneve"
# Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode.
# It has the following options:
@@ -2840,7 +136,7 @@ data:
# the PSK value must be passed to Antrea Agent through an environment
# variable: ANTREA_IPSEC_PSK.
# - wireGuard: Enable WireGuard for tunnel traffic encryption.
- #trafficEncryptionMode: none
+ trafficEncryptionMode: "none"
# Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected
# to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are
@@ -2849,40 +145,40 @@ data:
# This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only
# IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`,
# `trafficEncapMode` is `noEncap`, and `noSNAT` is true.
- #enableBridgingMode: false
+ enableBridgingMode: false
# Default MTU to use for the host gateway interface and the network interface of each Pod.
# If omitted, antrea-agent will discover the MTU of the Node's primary interface and
# also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
- #defaultMTU: 0
+ defaultMTU: 0
# wireGuard specifies WireGuard related configurations.
wireGuard:
- # The port for WireGuard to receive traffic.
- # port: 51820
+ # The port for WireGuard to receive traffic.
+ port: 51820
egress:
- # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses.
- # exceptCIDRs: []
+ # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses.
+ exceptCIDRs:
# ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
# set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
# AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
- #serviceCIDR: 10.96.0.0/12
+ serviceCIDR: ""
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
# --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
# No default value for this field.
- #serviceCIDRv6:
+ serviceCIDRv6: ""
# The port for the antrea-agent APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-agent` container must be set to the same value.
- #apiPort: 10350
+ apiPort: 10350
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
- #enablePrometheusMetrics: true
+ enablePrometheusMetrics: true
# Provide the IPFIX collector address as a string with format :[][:].
# HOST can either be the DNS name or the IP of the Flow Collector. For example,
@@ -2893,50 +189,50 @@ data:
# If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
# "udp" protocols. "tls" is used for securing communication between flow exporter and
# flow aggregator.
- #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
+ flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
# Provide flow poll interval as a duration string. This determines how often the
# flow exporter dumps connections from the conntrack module. Flow poll interval
# should be greater than or equal to 1s (one second).
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
- #flowPollInterval: "5s"
+ flowPollInterval: "5s"
# Provide the active flow export timeout, which is the timeout after which a flow
# record is sent to the collector for active flows. Thus, for flows with a continuous
# stream of packets, a flow record will be exported to the collector once the elapsed
# time since the last export event is equal to the value of this timeout.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
- #activeFlowExportTimeout: "30s"
+ activeFlowExportTimeout: "5s"
# Provide the idle flow export timeout, which is the timeout after which a flow
# record is sent to the collector for idle flows. A flow is considered idle if no
# packet matching this flow has been observed since the last export event.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
- #idleFlowExportTimeout: "15s"
+ idleFlowExportTimeout: "15s"
nodePortLocal:
# Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
# enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
# gate is also enabled (which is the default).
- # enable: false
+ enable: false
# Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
# from that range will be assigned whenever a Pod's container defines a specific port to be exposed
# (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic
# directed to that port will be forwarded to the Pod.
- # portRange: 61000-62000
+ portRange: "61000-62000"
# Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
# Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
- #kubeAPIServerOverride: ""
+ kubeAPIServerOverride: ""
# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
# https://golang.org/pkg/crypto/tls/#pkg-constants
# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
# prefer TLS1.3 Cipher Suites whenever possible.
- #tlsCipherSuites:
+ tlsCipherSuites: ""
# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
- #tlsMinVersion:
+ tlsMinVersion: ""
# The name of the interface on Node which is used for tunneling or routing the traffic across Nodes.
# If there are multiple IP addresses configured on the interface, the first one is used. The IP
@@ -2945,11 +241,11 @@ data:
# 1. transportInterface
# 2. transportInterfaceCIDRs
# 3. The Node IP
- #transportInterface:
+ transportInterface: ""
# The names of the interfaces on Nodes that are used to forward multicast traffic.
# Defaults to transport interface if not set.
- #multicastInterfaces: []
+ multicastInterfaces:
# The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across
# Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The
@@ -2958,7 +254,7 @@ data:
# 1. transportInterface
# 2. transportInterfaceCIDRs
# 3. The Node IP
- #transportInterfaceCIDRs: [,]
+ transportInterfaceCIDRs:
# Option antreaProxy contains AntreaProxy related configuration options.
antreaProxy:
@@ -2967,22 +263,22 @@ data:
# feature to be enabled.
# Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access
# apiserver directly.
- #proxyAll: false
+ proxyAll: false
# A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks.
# (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses.
# Note that the option is only valid when proxyAll is true.
- #nodePortAddresses: []
+ nodePortAddresses:
# An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these
# Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name
# with Namespace (e.g. kube-system/kube-dns)
- #skipServices: []
+ skipServices:
# When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the
# External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional
# capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the
# external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy.
# Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and
# kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
- #proxyLoadBalancerIPs: true
+ proxyLoadBalancerIPs: true
antrea-cni.conflist: |
{
"cniVersion":"0.3.0",
@@ -2993,11 +289,13 @@ data:
"ipam": {
"type": "host-local"
}
- },
+ }
+ ,
{
"type": "portmap",
"capabilities": {"portMappings": true}
- },
+ }
+ ,
{
"type": "bandwidth",
"capabilities": {"bandwidth": true}
@@ -3035,659 +333,3317 @@ data:
# The port for the antrea-controller APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-controller` container must be set to the same value.
- #apiPort: 10349
+ apiPort: 10349
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
- #enablePrometheusMetrics: true
+ enablePrometheusMetrics: true
# Indicates whether to use auto-generated self-signed TLS certificate.
- # If false, A Secret named "antrea-controller-tls" must be provided with the following keys:
+ # If false, a Secret named "antrea-controller-tls" must be provided with the following keys:
# ca.crt:
# tls.crt:
# tls.key:
- # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
- # antrea-controller container.
- #selfSignedCert: true
+ selfSignedCert: true
# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
# https://golang.org/pkg/crypto/tls/#pkg-constants
# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
# prefer TLS1.3 Cipher Suites whenever possible.
- #tlsCipherSuites:
+ tlsCipherSuites: ""
# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
- #tlsMinVersion:
+ tlsMinVersion: ""
nodeIPAM:
- # Enable the integrated Node IPAM controller within the Antrea controller.
- # enableNodeIPAM: false
-
- # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges.
- # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family.
- # Value ignored when enableNodeIPAM is false.
- # clusterCIDRs: []
-
- # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs.
- # Value ignored when enableNodeIPAM is false.
- # serviceCIDR:
- # serviceCIDRv6:
-
- # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false
- # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30.
- # nodeCIDRMaskSizeIPv4: 24
-
- # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
- # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
- # nodeCIDRMaskSizeIPv6: 64
-kind: ConfigMap
+ # Enable the integrated Node IPAM controller within the Antrea controller.
+ enableNodeIPAM: false
+ # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges.
+ # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family.
+ # Value ignored when enableNodeIPAM is false.
+ clusterCIDRs:
+ # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs.
+ # Value ignored when enableNodeIPAM is false.
+ serviceCIDR: ""
+ serviceCIDRv6: ""
+ # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false
+ # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30.
+ nodeCIDRMaskSizeIPv4: 24
+ # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
+ # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
+ nodeCIDRMaskSizeIPv6: 64
+---
+# Source: antrea/templates/crds/antreaagentinfo.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: antreaagentinfos.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ additionalPrinterColumns:
+ - description: Health status of this Agent
+ jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status"
+ name: Healthy
+ type: string
+ - description: Last time the Healthy Condition was updated
+ jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime"
+ name: Last Heartbeat
+ type: date
+ - description: Version of this Agent
+ jsonPath: ".version"
+ name: Version
+ type: string
+ priority: 1
+ - description: Node on which this Agent is running
+ jsonPath: ".nodeRef.name"
+ name: Node
+ type: string
+ priority: 1
+ - description: Number of local Pods managed by this Agent
+ jsonPath: ".localPodNum"
+ name: Num Pods
+ type: integer
+ priority: 2
+ - description: Subnets used by this Agent for Pod IPAM
+ jsonPath: ".nodeSubnets"
+ name: Subnets
+ type: string
+ priority: 2
+ scope: Cluster
+ names:
+ plural: antreaagentinfos
+ singular: antreaagentinfo
+ kind: AntreaAgentInfo
+ shortNames:
+ - aai
+---
+# Source: antrea/templates/crds/antreacontrollerinfo.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: antreacontrollerinfos.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ additionalPrinterColumns:
+ - description: Health status of the Controller
+ jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status"
+ name: Healthy
+ type: string
+ - description: Last time the Healthy Condition was updated
+ jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime"
+ name: Last Heartbeat
+ type: date
+ - description: Version of the Controller
+ jsonPath: ".version"
+ name: Version
+ type: string
+ priority: 1
+ - description: Number of Agents connected to the Controller
+ jsonPath: ".connectedAgentNum"
+ name: Connected Agents
+ type: integer
+ priority: 1
+ - description: Node on which the Controller is running
+ jsonPath: ".nodeRef.name"
+ name: Node
+ type: string
+ priority: 1
+ - description: Number of Network Policies computed by Controller
+ jsonPath: ".networkPolicyControllerInfo.networkPolicyNum"
+ name: Num Network Policies
+ type: integer
+ priority: 2
+ scope: Cluster
+ names:
+ plural: antreacontrollerinfos
+ singular: antreacontrollerinfo
+ kind: AntreaControllerInfo
+ shortNames:
+ - aci
+---
+# Source: antrea/templates/crds/clustergroup.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: clustergroups.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: false
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ type: object
+ properties:
+ childGroups:
+ type: array
+ items:
+ type: string
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ ipBlocks:
+ type: array
+ items:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ serviceReference:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ status:
+ type: object
+ properties:
+ conditions:
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ type: string
+ status:
+ type: string
+ lastTransitionTime:
+ type: string
+ - name: v1alpha3
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ type: object
+ properties:
+ childGroups:
+ type: array
+ items:
+ type: string
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlocks:
+ type: array
+ items:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ serviceReference:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ status:
+ type: object
+ properties:
+ conditions:
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ type: string
+ status:
+ type: string
+ lastTransitionTime:
+ type: string
+ subresources:
+ status: {}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions: ["v1", "v1beta1"]
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: "kube-system"
+ path: "/convert/clustergroup"
+ scope: Cluster
+ names:
+ plural: clustergroups
+ singular: clustergroup
+ kind: ClusterGroup
+ shortNames:
+ - cg
+---
+# Source: antrea/templates/crds/clusternetworkpolicy.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: clusternetworkpolicies.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - name: Tier
+ type: string
+ description: The Tier to which this ClusterNetworkPolicy belongs to.
+ jsonPath: .spec.tier
+ - name: Priority
+ type: number
+ format: float
+ description: The Priority of this ClusterNetworkPolicy relative to other policies.
+ jsonPath: .spec.priority
+ - name: Desired Nodes
+ type: number
+ format: int32
+ description: The total number of Nodes that should realize the NetworkPolicy.
+ jsonPath: .status.desiredNodesRealized
+ - name: Current Nodes
+ type: number
+ format: int32
+ description: The number of Nodes that have realized the NetworkPolicy.
+ jsonPath: .status.currentNodesRealized
+ - name: Age
+ type: date
+ jsonPath: .metadata.creationTimestamp
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ # Ensure that Spec.Priority field is set
+ required:
+ - priority
+ type: object
+ properties:
+ tier:
+ type: string
+ priority:
+ type: number
+ format: float
+ # Ensure that Spec.Priority field is between 1 and 10000
+ minimum: 1.0
+ maximum: 10000.0
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that Spec.AppliedTo does not allow IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ ingress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ from:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaces:
+ type: object
+ properties:
+ match:
+ enum:
+ - Self
+ type: string
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ egress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ group:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ to:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaces:
+ type: object
+ properties:
+ match:
+ type: string
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ group:
+ type: string
+ fqdn:
+ type: string
+ serviceAccount:
+ type: object
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ toServices:
+ type: array
+ items:
+ type: object
+ required:
+ - name
+ - namespace
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ status:
+ type: object
+ properties:
+ phase:
+ type: string
+ observedGeneration:
+ type: integer
+ currentNodesRealized:
+ type: integer
+ desiredNodesRealized:
+ type: integer
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: clusternetworkpolicies
+ singular: clusternetworkpolicy
+ kind: ClusterNetworkPolicy
+ shortNames:
+ - acnp
+---
+# Source: antrea/templates/crds/egress.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: egresses.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ type: object
+ required:
+ - appliedTo
+ anyOf:
+ - required:
+ - egressIP
+ - required:
+ - externalIPPool
+ properties:
+ appliedTo:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ egressIP:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ externalIPPool:
+ type: string
+ status:
+ type: object
+ properties:
+ egressNode:
+ type: string
+ additionalPrinterColumns:
+ - description: Specifies the SNAT IP address for the selected workloads.
+ jsonPath: .spec.egressIP
+ name: EgressIP
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: The Owner Node of egress IP
+ jsonPath: .status.egressNode
+ name: Node
+ type: string
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: egresses
+ singular: egress
+ kind: Egress
+ shortNames:
+ - eg
+---
+# Source: antrea/templates/crds/externalentity.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: externalentities.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ type: object
+ properties:
+ endpoints:
+ type: array
+ items:
+ type: object
+ properties:
+ ip:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ name:
+ type: string
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ name:
+ type: string
+ externalNode:
+ type: string
+ - name: v1alpha1
+ served: false
+ storage: false
+ schema:
+ openAPIV3Schema:
+ type: object
+ scope: Namespaced
+ names:
+ plural: externalentities
+ singular: externalentity
+ kind: ExternalEntity
+ shortNames:
+ - ee
+---
+# Source: antrea/templates/crds/externalippool.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: externalippools.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ type: object
+ required:
+ - ipRanges
+ - nodeSelector
+ properties:
+ ipRanges:
+ type: array
+ items:
+ type: object
+ oneOf:
+ - required:
+ - cidr
+ - required:
+ - start
+ - end
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ start:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ end:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ status:
+ type: object
+ properties:
+ usage:
+ type: object
+ properties:
+ total:
+ type: integer
+ used:
+ type: integer
+ additionalPrinterColumns:
+ - description: The number of total IPs
+ jsonPath: .status.usage.total
+ name: Total
+ type: integer
+ - description: The number of allocated IPs
+ jsonPath: .status.usage.used
+ name: Used
+ type: integer
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: externalippools
+ singular: externalippool
+ kind: ExternalIPPool
+ shortNames:
+ - eip
+---
+# Source: antrea/templates/crds/ippool.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: ippools.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ required:
+ - ipVersion
+ - ipRanges
+ type: object
+ properties:
+ ipVersion:
+ type: integer
+ ipRanges:
+ items:
+ oneOf:
+ - required:
+ - cidr
+ - gateway
+ - prefixLength
+ - required:
+ - start
+ - end
+ - gateway
+ - prefixLength
+ properties:
+ cidr:
+ format: cidr
+ type: string
+ start:
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ type: string
+ end:
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ type: string
+ gateway:
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ type: string
+ prefixLength:
+ type: integer
+ vlan:
+ type: integer
+ minimum: 0
+ maximum: 4094
+ type: object
+ type: array
+ status:
+ properties:
+ ipAddresses:
+ items:
+ properties:
+ ipAddress:
+ type: string
+ owner:
+ properties:
+ pod:
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ containerID:
+ type: string
+ ifName:
+ type: string
+ type: object
+ statefulSet:
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ index:
+ type: integer
+ type: object
+ type: object
+ phase:
+ type: string
+ type: object
+ type: array
+ type: object
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: ippools
+ singular: ippool
+ kind: IPPool
+ shortNames:
+ - ipp
+---
+# Source: antrea/templates/crds/networkpolicy.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: networkpolicies.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - name: Tier
+ type: string
+ description: The Tier to which this Antrea NetworkPolicy belongs to.
+ jsonPath: .spec.tier
+ - name: Priority
+ type: number
+ format: float
+ description: The Priority of this Antrea NetworkPolicy relative to other policies.
+ jsonPath: .spec.priority
+ - name: Desired Nodes
+ type: number
+ format: int32
+ description: The total number of Nodes that should realize the NetworkPolicy.
+ jsonPath: .status.desiredNodesRealized
+ - name: Current Nodes
+ type: number
+ format: int32
+ description: The number of Nodes that have realized the NetworkPolicy.
+ jsonPath: .status.currentNodesRealized
+ - name: Age
+ type: date
+ jsonPath: .metadata.creationTimestamp
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ # Ensure that Spec.Priority field is set
+ required:
+ - priority
+ type: object
+ properties:
+ tier:
+ type: string
+ priority:
+ type: number
+ format: float
+ # Ensure that Spec.Priority field is between 1 and 10000
+ minimum: 1.0
+ maximum: 10000.0
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ingress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ from:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ egress:
+ type: array
+ items:
+ type: object
+ required:
+ - action
+ properties:
+ appliedTo:
+ type: array
+ items:
+ type: object
+ # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ # Ensure that Action field allows only ALLOW, DROP and REJECT values
+ action:
+ type: string
+ enum: ['Allow', 'Drop', 'Reject', 'Pass']
+ ports:
+ type: array
+ items:
+ type: object
+ properties:
+ protocol:
+ type: string
+ enum: ['TCP', 'UDP', 'SCTP']
+ port:
+ x-kubernetes-int-or-string: true
+ endPort:
+ type: integer
+ to:
+ type: array
+ items:
+ type: object
+ properties:
+ podSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ namespaceSelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ externalEntitySelector:
+ type: object
+ properties:
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ ipBlock:
+ type: object
+ properties:
+ cidr:
+ type: string
+ format: cidr
+ fqdn:
+ type: string
+ nodeSelector:
+ type: object
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ items:
+ type: string
+ pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+ type: array
+ type: object
+ type: array
+ matchLabels:
+ x-kubernetes-preserve-unknown-fields: true
+ toServices:
+ type: array
+ items:
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ name:
+ type: string
+ enableLogging:
+ type: boolean
+ status:
+ type: object
+ properties:
+ phase:
+ type: string
+ observedGeneration:
+ type: integer
+ currentNodesRealized:
+ type: integer
+ desiredNodesRealized:
+ type: integer
+ subresources:
+ status: {}
+ scope: Namespaced
+ names:
+ plural: networkpolicies
+ singular: networkpolicy
+ kind: NetworkPolicy
+ shortNames:
+ - anp
+---
+# Source: antrea/templates/crds/tier.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: tiers.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - name: Priority
+ type: integer
+ description: The Priority of this Tier relative to other Tiers.
+ jsonPath: .spec.priority
+ - name: Age
+ type: date
+ jsonPath: .metadata.creationTimestamp
+ schema:
+ openAPIV3Schema:
+ type: object
+ properties:
+ spec:
+ required:
+ - priority
+ type: object
+ properties:
+ priority:
+ type: integer
+ minimum: 0
+ maximum: 255
+ description:
+ type: string
+ scope: Cluster
+ names:
+ plural: tiers
+ singular: tier
+ kind: Tier
+ shortNames:
+ - tr
+---
+# Source: antrea/templates/crds/traceflow.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: traceflows.crd.antrea.io
+ labels:
+ app: antrea
+spec:
+ group: crd.antrea.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ additionalPrinterColumns:
+ - jsonPath: .status.phase
+ description: The phase of the Traceflow.
+ name: Phase
+ type: string
+ - jsonPath: .spec.source.pod
+ description: The name of the source Pod.
+ name: Source-Pod
+ type: string
+ priority: 10
+ - jsonPath: .spec.destination.pod
+ description: The name of the destination Pod.
+ name: Destination-Pod
+ type: string
+ priority: 10
+ - jsonPath: .spec.destination.ip
+ description: The IP address of the destination.
+ name: Destination-IP
+ type: string
+ priority: 10
+ - jsonPath: .spec.liveTraffic
+ description: Trace live traffic.
+ name: Live-Traffic
+ type: boolean
+ priority: 10
+ - jsonPath: .spec.droppedOnly
+ description: Capture only the dropped packet.
+ name: Dropped-Only
+ type: boolean
+ priority: 10
+ - jsonPath: .spec.timeout
+ description: Timeout in seconds.
+ name: Timeout
+ type: integer
+ priority: 10
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ type: object
+ properties:
+ source:
+ type: object
+ properties:
+ pod:
+ type: string
+ namespace:
+ type: string
+ ip:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ destination:
+ type: object
+ properties:
+ pod:
+ type: string
+ service:
+ type: string
+ namespace:
+ type: string
+ ip:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ packet:
+ type: object
+ properties:
+ ipHeader:
+ type: object
+ properties:
+ srcIP:
+ type: string
+ oneOf:
+ - format: ipv4
+ - format: ipv6
+ protocol:
+ type: integer
+ ttl:
+ type: integer
+ flags:
+ type: integer
+ ipv6Header:
+ type: object
+ properties:
+ srcIP:
+ type: string
+ format: ipv6
+ nextHeader:
+ type: integer
+ hopLimit:
+ type: integer
+ transportHeader:
+ type: object
+ properties:
+ icmp:
+ type: object
+ properties:
+ id:
+ type: integer
+ sequence:
+ type: integer
+ udp:
+ type: object
+ properties:
+ srcPort:
+ type: integer
+ dstPort:
+ type: integer
+ tcp:
+ type: object
+ properties:
+ srcPort:
+ type: integer
+ dstPort:
+ type: integer
+ flags:
+ type: integer
+ liveTraffic:
+ type: boolean
+ droppedOnly:
+ type: boolean
+ timeout:
+ type: integer
+ status:
+ type: object
+ properties:
+ reason:
+ type: string
+ dataplaneTag:
+ type: integer
+ phase:
+ type: string
+ startTime:
+ type: string
+ results:
+ type: array
+ items:
+ type: object
+ properties:
+ node:
+ type: string
+ role:
+ type: string
+ timestamp:
+ type: integer
+ observations:
+ type: array
+ items:
+ type: object
+ properties:
+ component:
+ type: string
+ componentInfo:
+ type: string
+ action:
+ type: string
+ pod:
+ type: string
+ dstMAC:
+ type: string
+ networkPolicy:
+ type: string
+ ttl:
+ type: integer
+ translatedSrcIP:
+ type: string
+ translatedDstIP:
+ type: string
+ tunnelDstIP:
+ type: string
+ capturedPacket:
+ properties:
+ srcIP:
+ type: string
+ dstIP:
+ type: string
+ length:
+ type: integer
+ ipHeader:
+ properties:
+ flags:
+ type: integer
+ protocol:
+ type: integer
+ ttl:
+ type: integer
+ type: object
+ ipv6Header:
+ properties:
+ hopLimit:
+ type: integer
+ nextHeader:
+ type: integer
+ type: object
+ transportHeader:
+ properties:
+ tcp:
+ properties:
+ dstPort:
+ type: integer
+ srcPort:
+ type: integer
+ flags:
+ type: integer
+ type: object
+ udp:
+ properties:
+ dstPort:
+ type: integer
+ srcPort:
+ type: integer
+ type: object
+ icmp:
+ properties:
+ id:
+ type: integer
+ sequence:
+ type: integer
+ type: object
+ type: object
+ type: object
+ subresources:
+ status: {}
+ scope: Cluster
+ names:
+ plural: traceflows
+ singular: traceflow
+ kind: Traceflow
+ shortNames:
+ - tf
+---
+# Source: antrea/templates/agent/clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-agent
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - nodes/status
+ verbs:
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - pods/status
+ verbs:
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - endpoints
+ - services
+ - namespaces
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - services/status
+ verbs:
+ - update
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - antreaagentinfos
+ verbs:
+ - get
+ - create
+ - update
+ - delete
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - networkpolicies
+ - appliedtogroups
+ - addressgroups
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - egressgroups
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - nodestatssummaries
+ verbs:
+ - create
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - networkpolicies/status
+ verbs:
+ - create
+ - get
+ - apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+ - apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+ # This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
+ # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will
+ # have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
+ # See https://github.com/kubernetes/kubernetes/pull/85375
+ # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
+ # the extension-apiserver-authentication role.
+ - apiGroups:
+ - ""
+ resourceNames:
+ - extension-apiserver-authentication
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ resourceNames:
+ - antrea-ca
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - traceflows
+ - traceflows/status
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - egresses
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - egresses/status
+ verbs:
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalippools
+ - ippools
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - ippools/status
+ verbs:
+ - update
+ - apiGroups:
+ - k8s.cni.cncf.io
+ resources:
+ - network-attachment-definitions
+ verbs:
+ - get
+ - list
+ - watch
+---
+# Source: antrea/templates/antctl/clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antctl
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - networkpolicies
+ - appliedtogroups
+ - addressgroups
+ verbs:
+ - get
+ - list
+ - apiGroups:
+ - stats.antrea.io
+ resources:
+ - networkpolicystats
+ - antreaclusternetworkpolicystats
+ - antreanetworkpolicystats
+ verbs:
+ - get
+ - list
+ - apiGroups:
+ - system.antrea.io
+ resources:
+ - controllerinfos
+ - agentinfos
+ verbs:
+ - get
+ - apiGroups:
+ - system.antrea.io
+ resources:
+ - supportbundles
+ verbs:
+ - get
+ - post
+ - apiGroups:
+ - system.antrea.io
+ resources:
+ - supportbundles/download
+ verbs:
+ - get
+ - nonResourceURLs:
+ - /agentinfo
+ - /addressgroups
+ - /appliedtogroups
+ - /loglevel
+ - /networkpolicies
+ - /ovsflows
+ - /ovstracing
+ - /podinterfaces
+ - /featuregates
+ verbs:
+ - get
+---
+# Source: antrea/templates/cluster-identity-reader/clusterrolebinding.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-cluster-identity-reader
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ resourceNames:
+ - antrea-cluster-identity
+ verbs:
+ - get
+---
+# Source: antrea/templates/controller/clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-controller
+ labels:
+ app: antrea
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - services
+ - namespaces
+ - configmaps
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - watch
+ - list
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - services/status
+ verbs:
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - networkpolicies
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+ - apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - get
+ - update
+ # This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
+ # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-controller) will
+ # have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
+ # See https://github.com/kubernetes/kubernetes/pull/85375
+ # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
+ # the extension-apiserver-authentication role.
+ - apiGroups:
+ - ""
+ resourceNames:
+ - extension-apiserver-authentication
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ resourceNames:
+ - antrea-ca
+ - antrea-cluster-identity
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - apiregistration.k8s.io
+ resources:
+ - apiservices
+ resourceNames:
+ - v1alpha1.stats.antrea.io
+ - v1beta1.system.antrea.io
+ - v1beta2.controlplane.antrea.io
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - apiregistration.k8s.io
+ resources:
+ - apiservices
+ resourceNames:
+ - v1beta1.networking.antrea.tanzu.vmware.com
+ - v1beta1.controlplane.antrea.tanzu.vmware.com
+ - v1alpha1.stats.antrea.tanzu.vmware.com
+ - v1beta1.system.antrea.tanzu.vmware.com
+ - v1beta2.controlplane.antrea.tanzu.vmware.com
+ verbs:
+ - delete
+ - apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - mutatingwebhookconfigurations
+ - validatingwebhookconfigurations
+ resourceNames:
+ # always give permissions for labelsmutator.antrea.io, even when the
+ # feature is disabled, to avoid errors in antrea-controller when updating
+ # the CA cert.
+ - labelsmutator.antrea.io
+ - crdmutator.antrea.io
+ - crdvalidator.antrea.io
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - antreacontrollerinfos
+ verbs:
+ - get
+ - create
+ - update
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - antreaagentinfos
+ verbs:
+ - list
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - clusternetworkpolicies
+ - networkpolicies
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - clusternetworkpolicies/status
+ - networkpolicies/status
+ verbs:
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - tiers
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - traceflows
+ - traceflows/status
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalentities
+ - clustergroups
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - clustergroups/status
+ verbs:
+ - update
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - egresses
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalippools
+ - ippools
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalippools/status
+ - ippools/status
+ verbs:
+ - update
+ - apiGroups:
+ - apps
+ resources:
+ - statefulsets
+ verbs:
+ - get
+ - list
+ - watch
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
metadata:
+ name: aggregate-antrea-policies-edit
labels:
app: antrea
- name: antrea-config-bb75mkktfg
- namespace: kube-system
+ # Add these permissions to the "admin" and "edit" default roles.
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clusternetworkpolicies", "networkpolicies"]
+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
-apiVersion: v1
-kind: Service
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: aggregate-antrea-policies-view
+ labels:
+ app: antrea
+ # Add these permissions to the "view" default role.
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clusternetworkpolicies", "networkpolicies"]
+ verbs: ["get", "list", "watch"]
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: aggregate-traceflows-edit
+ labels:
+ app: antrea
+ # Add these permissions to the "admin" and "edit" default roles.
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["traceflows"]
+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
+ name: aggregate-traceflows-view
+ labels:
+ app: antrea
+ # Add these permissions to the "view" default role.
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["traceflows"]
+ verbs: ["get", "list", "watch"]
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: aggregate-antrea-clustergroups-edit
+ labels:
+ app: antrea
+ # Add these permissions to the "admin" and "edit" default roles.
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clustergroups"]
+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+# Source: antrea/templates/crds-rbac/clusterroles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: aggregate-antrea-clustergroups-view
+ labels:
+ app: antrea
+ # Add these permissions to the "view" default role.
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: ["crd.antrea.io"]
+ resources: ["clustergroups"]
+ verbs: ["get", "list", "watch"]
+---
+# Source: antrea/templates/agent/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-agent
+ labels:
+ app: antrea
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: antrea-agent
+subjects:
+ - kind: ServiceAccount
+ name: antrea-agent
+ namespace: kube-system
+---
+# Source: antrea/templates/antctl/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app: antrea
+ name: antctl
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: antctl
+subjects:
+ - kind: ServiceAccount
+ name: antctl
+ namespace: kube-system
+---
+# Source: antrea/templates/controller/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: antrea-controller
labels:
app: antrea
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: antrea-controller
+subjects:
+ - kind: ServiceAccount
+ name: antrea-controller
+ namespace: kube-system
+---
+# Source: antrea/templates/controller/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
name: antrea
namespace: kube-system
+ labels:
+ app: antrea
spec:
ports:
- - port: 443
- protocol: TCP
- targetPort: api
+ - port: 443
+ protocol: TCP
+ targetPort: api
selector:
app: antrea
component: antrea-controller
---
+# Source: antrea/templates/agent/daemonset.yaml
apiVersion: apps/v1
-kind: Deployment
+kind: DaemonSet
metadata:
+ name: antrea-agent
+ namespace: kube-system
labels:
app: antrea
- component: antrea-controller
+ component: antrea-agent
+spec:
+ selector:
+ matchLabels:
+ app: antrea
+ component: antrea-agent
+ updateStrategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ annotations:
+ # Starting with v1.21, Kubernetes supports default container annotation.
+ # Using "kubectl logs/exec/attach/cp" doesn't have to specify "-c antrea-agent" when troubleshooting.
+ kubectl.kubernetes.io/default-container: antrea-agent
+ # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
+ # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
+ checksum/config: 4605b6a5554073a43eacb44136f408bc84bd5fb4e91c95db3ddbf47add0e36d0
+ labels:
+ app: antrea
+ component: antrea-agent
+ spec:
+ hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
+ priorityClassName: system-node-critical
+ nodeSelector:
+ kubernetes.io/os: linux
+ tolerations:
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoSchedule
+ operator: Exists
+ - effect: NoExecute
+ operator: Exists
+ serviceAccountName: antrea-agent
+ initContainers:
+ - name: install-cni
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 100m
+ command: ["install_cni"]
+ securityContext:
+ capabilities:
+ add:
+ # SYS_MODULE is required to load the OVS kernel module.
+ - SYS_MODULE
+ env:
+ # SKIP_CNI_BINARIES takes in values as a comma separated list of
+ # binaries that need to be skipped for installation, e.g. "portmap, bandwidth".
+ - name: SKIP_CNI_BINARIES
+ value: ""
+ volumeMounts:
+ - name: antrea-config
+ mountPath: /etc/antrea/antrea-cni.conflist
+ subPath: antrea-cni.conflist
+ readOnly: true
+ - name: host-cni-conf
+ mountPath: /host/etc/cni/net.d
+ - name: host-cni-bin
+ mountPath: /host/opt/cni/bin
+ # For loading the OVS kernel module.
+ - name: host-lib-modules
+ mountPath: /lib/modules
+ readOnly: true
+ # For changing the default permissions of the run directory.
+ - name: host-var-run-antrea
+ mountPath: /var/run/antrea
+ containers:
+ - name: antrea-agent
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ command: ["antrea-agent"]
+ # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).-
+ args:
+ - "--config=/etc/antrea/antrea-agent.conf"
+ - "--logtostderr=false"
+ - "--log_dir=/var/log/antrea"
+ - "--alsologtostderr"
+ - "--log_file_max_size=100"
+ - "--log_file_max_num=4"
+ env:
+ # Provide pod and node information for clusterinformation CRD.
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ resources:
+ requests:
+ cpu: 200m
+ ports:
+ - containerPort: 10350
+ name: api
+ protocol: TCP
+ livenessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - container_liveness_probe agent
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ failureThreshold: 5
+ readinessProbe:
+ httpGet:
+ host: localhost
+ path: /readyz
+ port: api
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ # In large-scale clusters, it may take up to 40~50 seconds for the antrea-agent to reconnect to the antrea
+ # Service after the antrea-controller restarts. The antrea-agent shouldn't be reported as NotReady in this
+ # scenario, otherwise the DaemonSet controller would restart all agents at once, as opposed to performing a
+ # rolling update. Set failureThreshold to 8 so it can tolerate 70s of disconnection.
+ failureThreshold: 8
+ securityContext:
+ # antrea-agent needs to perform sysctl configuration.
+ privileged: true
+ volumeMounts:
+ - name: antrea-config
+ mountPath: /etc/antrea/antrea-agent.conf
+ subPath: antrea-agent.conf
+ readOnly: true
+ - name: host-var-run-antrea
+ mountPath: /var/run/antrea
+ - name: host-var-run-antrea
+ mountPath: /var/run/openvswitch
+ subPath: openvswitch
+ # host-local IPAM stores allocated IP addresses as files in /var/lib/cni/networks/$NETWORK_NAME.
+ # Mount a sub-directory of host-var-run-antrea to it for persistence of IP allocation.
+ - name: host-var-run-antrea
+ mountPath: /var/lib/cni
+ subPath: cni
+ # We need to mount both the /proc directory and the /var/run/netns directory so that
+ # antrea-agent can open the network namespace path when setting up Pod
+ # networking. Different container runtimes may use /proc or /var/run/netns when invoking
+ # the CNI commands. Docker uses /proc and containerd uses /var/run/netns.
+ - name: host-var-log-antrea
+ mountPath: /var/log/antrea
+ - name: host-proc
+ mountPath: /host/proc
+ readOnly: true
+ - name: host-var-run-netns
+ mountPath: /host/var/run/netns
+ readOnly: true
+ # When a container is created, a mount point for the network namespace is added under
+ # /var/run/netns on the host, which needs to be propagated to the antrea-agent container.
+ mountPropagation: HostToContainer
+ - name: xtables-lock
+ mountPath: /run/xtables.lock
+ - name: antrea-ovs
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 200m
+ command: ["start_ovs"]
+ args:
+ - "--log_file_max_size=100"
+ - "--log_file_max_num=4"
+ securityContext:
+ # capabilities required by OVS daemons
+ capabilities:
+ add:
+ - SYS_NICE
+ - NET_ADMIN
+ - SYS_ADMIN
+ - IPC_LOCK
+ livenessProbe:
+ exec:
+ # docker CRI doesn't honor timeoutSeconds, add "timeout" to the command as a workaround.
+ # https://github.com/kubernetes/kubernetes/issues/51901
+ command:
+ - /bin/sh
+ - -c
+ - timeout 10 container_liveness_probe ovs
+ initialDelaySeconds: 5
+ timeoutSeconds: 10
+ periodSeconds: 10
+ failureThreshold: 5
+ volumeMounts:
+ - name: host-var-run-antrea
+ mountPath: /var/run/openvswitch
+ subPath: openvswitch
+ - name: host-var-log-antrea
+ mountPath: /var/log/openvswitch
+ subPath: openvswitch
+ volumes:
+ - name: antrea-config
+ configMap:
+ name: antrea-config
+ - name: host-cni-conf
+ hostPath:
+ path: /etc/cni/net.d
+ - name: host-cni-bin
+ hostPath:
+ path: /opt/cni/bin
+ - name: host-proc
+ hostPath:
+ path: /proc
+ - name: host-var-run-netns
+ hostPath:
+ path: /var/run/netns
+ - name: host-var-run-antrea
+ hostPath:
+ path: /var/run/antrea
+ # we use subPath to create run subdirectories for different component (e.g. OVS) and
+ # subPath requires the base volume to exist
+ type: DirectoryOrCreate
+ - name: host-var-log-antrea
+ hostPath:
+ path: /var/log/antrea
+ # we use subPath to create logging subdirectories for different component (e.g. OVS)
+ type: DirectoryOrCreate
+ - name: host-lib-modules
+ hostPath:
+ path: /lib/modules
+ - name: xtables-lock
+ hostPath:
+ path: /run/xtables.lock
+ type: FileOrCreate
+---
+# Source: antrea/templates/controller/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
name: antrea-controller
namespace: kube-system
+ labels:
+ app: antrea
+ component: antrea-controller
spec:
- replicas: 1
+ strategy:
+ # Ensure the existing Pod is stopped before the new one is created.
+ type: Recreate
selector:
matchLabels:
app: antrea
component: antrea-controller
- strategy:
- type: Recreate
+ replicas: 1
template:
metadata:
+ annotations:
+ # Automatically restart Pod if the ConfigMap changes
+ # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
+ checksum/config: 4605b6a5554073a43eacb44136f408bc84bd5fb4e91c95db3ddbf47add0e36d0
labels:
app: antrea
component: antrea-controller
spec:
- containers:
- - args:
- - --config
- - /etc/antrea/antrea-controller.conf
- - --logtostderr=false
- - --log_dir=/var/log/antrea
- - --alsologtostderr
- - --log_file_max_size=100
- - --log_file_max_num=4
- - --v=0
- command:
- - antrea-controller
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: SERVICEACCOUNT_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.serviceAccountName
- - name: ANTREA_CONFIG_MAP_NAME
- value: antrea-config-bb75mkktfg
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- livenessProbe:
- failureThreshold: 5
- httpGet:
- host: localhost
- path: /livez
- port: api
- scheme: HTTPS
- periodSeconds: 10
- timeoutSeconds: 5
- name: antrea-controller
- ports:
- - containerPort: 10349
- name: api
- protocol: TCP
- readinessProbe:
- failureThreshold: 5
- httpGet:
- host: localhost
- path: /readyz
- port: api
- scheme: HTTPS
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 5
- resources:
- requests:
- cpu: 200m
- volumeMounts:
- - mountPath: /etc/antrea/antrea-controller.conf
- name: antrea-config
- readOnly: true
- subPath: antrea-controller.conf
- - mountPath: /var/run/antrea/antrea-controller-tls
- name: antrea-controller-tls
- - mountPath: /var/log/antrea
- name: host-var-log-antrea
- hostNetwork: true
nodeSelector:
kubernetes.io/os: linux
+ hostNetwork: true
priorityClassName: system-cluster-critical
- serviceAccountName: antrea-controller
tolerations:
- - key: CriticalAddonsOnly
- operator: Exists
- - effect: NoSchedule
- key: node-role.kubernetes.io/master
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/master
+ serviceAccountName: antrea-controller
+ containers:
+ - name: antrea-controller
+ image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 200m
+ command: ["antrea-controller"]
+ # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).
+ args:
+ - "--config=/etc/antrea/antrea-controller.conf"
+ - "--logtostderr=false"
+ - "--log_dir=/var/log/antrea"
+ - "--alsologtostderr"
+ - "--log_file_max_size=100"
+ - "--log_file_max_num=4"
+ env:
+ # Provide pod and node information for clusterinformation CRD.
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ # Provide ServiceAccount name for validation webhook.
+ - name: SERVICEACCOUNT_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: ANTREA_CONFIG_MAP_NAME
+ value: antrea-config
+ ports:
+ - containerPort: 10349
+ name: api
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ host: localhost
+ path: /readyz
+ port: api
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ failureThreshold: 5
+ livenessProbe:
+ httpGet:
+ host: localhost
+ path: /livez
+ port: api
+ scheme: HTTPS
+ timeoutSeconds: 5
+ periodSeconds: 10
+ failureThreshold: 5
+ volumeMounts:
+ - name: antrea-config
+ mountPath: /etc/antrea/antrea-controller.conf
+ subPath: antrea-controller.conf
+ readOnly: true
+ - name: antrea-controller-tls
+ mountPath: /var/run/antrea/antrea-controller-tls
+ - name: host-var-log-antrea
+ mountPath: /var/log/antrea
volumes:
- - configMap:
- name: antrea-config-bb75mkktfg
- name: antrea-config
- - name: antrea-controller-tls
- secret:
- defaultMode: 256
- optional: true
- secretName: antrea-controller-tls
- - hostPath:
- path: /var/log/antrea
- type: DirectoryOrCreate
- name: host-var-log-antrea
+ - name: antrea-config
+ configMap:
+ name: antrea-config
+ # Make it optional as we only read it when selfSignedCert=false.
+ - name: antrea-controller-tls
+ secret:
+ secretName: antrea-controller-tls
+ defaultMode: 0400
+ optional: true
+ - name: host-var-log-antrea
+ hostPath:
+ path: /var/log/antrea
+ type: DirectoryOrCreate
---
+# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
+ name: v1beta2.controlplane.antrea.io
labels:
app: antrea
- name: v1alpha1.stats.antrea.io
spec:
- group: stats.antrea.io
+ group: controlplane.antrea.io
groupPriorityMinimum: 100
+ version: v1beta2
+ versionPriority: 100
service:
name: antrea
namespace: kube-system
- version: v1alpha1
- versionPriority: 100
---
+# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
+ name: v1beta1.system.antrea.io
labels:
app: antrea
- name: v1beta1.system.antrea.io
spec:
group: system.antrea.io
groupPriorityMinimum: 100
+ version: v1beta1
+ versionPriority: 100
service:
name: antrea
namespace: kube-system
- version: v1beta1
- versionPriority: 100
---
+# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
+ name: v1alpha1.stats.antrea.io
labels:
app: antrea
- name: v1beta2.controlplane.antrea.io
spec:
- group: controlplane.antrea.io
+ group: stats.antrea.io
groupPriorityMinimum: 100
+ version: v1alpha1
+ versionPriority: 100
service:
name: antrea
namespace: kube-system
- version: v1beta2
- versionPriority: 100
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- labels:
- app: antrea
- component: antrea-agent
- name: antrea-agent
- namespace: kube-system
-spec:
- selector:
- matchLabels:
- app: antrea
- component: antrea-agent
- template:
- metadata:
- annotations:
- kubectl.kubernetes.io/default-container: antrea-agent
- labels:
- app: antrea
- component: antrea-agent
- spec:
- containers:
- - args:
- - --config
- - /etc/antrea/antrea-agent.conf
- - --logtostderr=false
- - --log_dir=/var/log/antrea
- - --alsologtostderr
- - --log_file_max_size=100
- - --log_file_max_num=4
- - --v=0
- command:
- - antrea-agent
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- livenessProbe:
- exec:
- command:
- - /bin/sh
- - -c
- - container_liveness_probe agent
- failureThreshold: 5
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 5
- name: antrea-agent
- ports:
- - containerPort: 10350
- name: api
- protocol: TCP
- readinessProbe:
- failureThreshold: 8
- httpGet:
- host: localhost
- path: /readyz
- port: api
- scheme: HTTPS
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 5
- resources:
- requests:
- cpu: 200m
- securityContext:
- privileged: true
- volumeMounts:
- - mountPath: /etc/antrea/antrea-agent.conf
- name: antrea-config
- readOnly: true
- subPath: antrea-agent.conf
- - mountPath: /var/run/antrea
- name: host-var-run-antrea
- - mountPath: /var/run/openvswitch
- name: host-var-run-antrea
- subPath: openvswitch
- - mountPath: /var/lib/cni
- name: host-var-run-antrea
- subPath: cni
- - mountPath: /var/log/antrea
- name: host-var-log-antrea
- - mountPath: /host/proc
- name: host-proc
- readOnly: true
- - mountPath: /host/var/run/netns
- mountPropagation: HostToContainer
- name: host-var-run-netns
- readOnly: true
- - mountPath: /run/xtables.lock
- name: xtables-lock
- - args:
- - --log_file_max_size=100
- - --log_file_max_num=4
- command:
- - start_ovs
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- livenessProbe:
- exec:
- command:
- - /bin/sh
- - -c
- - timeout 10 container_liveness_probe ovs
- failureThreshold: 5
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 10
- name: antrea-ovs
- resources:
- requests:
- cpu: 200m
- securityContext:
- capabilities:
- add:
- - SYS_NICE
- - NET_ADMIN
- - SYS_ADMIN
- - IPC_LOCK
- volumeMounts:
- - mountPath: /var/run/openvswitch
- name: host-var-run-antrea
- subPath: openvswitch
- - mountPath: /var/log/openvswitch
- name: host-var-log-antrea
- subPath: openvswitch
- dnsPolicy: ClusterFirstWithHostNet
- hostNetwork: true
- initContainers:
- - command:
- - install_cni
- env:
- - name: SKIP_CNI_BINARIES
- value: ""
- image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
- imagePullPolicy: IfNotPresent
- name: install-cni
- resources:
- requests:
- cpu: 100m
- securityContext:
- capabilities:
- add:
- - SYS_MODULE
- volumeMounts:
- - mountPath: /etc/antrea/antrea-cni.conflist
- name: antrea-config
- readOnly: true
- subPath: antrea-cni.conflist
- - mountPath: /host/etc/cni/net.d
- name: host-cni-conf
- - mountPath: /host/opt/cni/bin
- name: host-cni-bin
- - mountPath: /lib/modules
- name: host-lib-modules
- readOnly: true
- - mountPath: /var/run/antrea
- name: host-var-run-antrea
- nodeSelector:
- kubernetes.io/os: linux
- priorityClassName: system-node-critical
- serviceAccountName: antrea-agent
- tolerations:
- - key: CriticalAddonsOnly
- operator: Exists
- - effect: NoSchedule
- operator: Exists
- - effect: NoExecute
- operator: Exists
- volumes:
- - configMap:
- name: antrea-config-bb75mkktfg
- name: antrea-config
- - hostPath:
- path: /etc/cni/net.d
- name: host-cni-conf
- - hostPath:
- path: /opt/cni/bin
- name: host-cni-bin
- - hostPath:
- path: /proc
- name: host-proc
- - hostPath:
- path: /var/run/netns
- name: host-var-run-netns
- - hostPath:
- path: /var/run/antrea
- type: DirectoryOrCreate
- name: host-var-run-antrea
- - hostPath:
- path: /var/log/antrea
- type: DirectoryOrCreate
- name: host-var-log-antrea
- - hostPath:
- path: /lib/modules
- name: host-lib-modules
- - hostPath:
- path: /run/xtables.lock
- type: FileOrCreate
- name: xtables-lock
- updateStrategy:
- type: RollingUpdate
---
+# Source: antrea/templates/webhooks/mutating/crdmutator.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
+ name: "crdmutator.antrea.io"
labels:
app: antrea
- name: crdmutator.antrea.io
webhooks:
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /mutate/acnp
- name: acnpmutator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - clusternetworkpolicies
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /mutate/anp
- name: anpmutator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - networkpolicies
- scope: Namespaced
- sideEffects: None
- timeoutSeconds: 5
+ - name: "acnpmutator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/mutate/acnp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["clusternetworkpolicies"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "anpmutator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/mutate/anp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["networkpolicies"]
+ scope: "Namespaced"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
---
+# Source: antrea/templates/webhooks/validating/crdvalidator.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
+ name: "crdvalidator.antrea.io"
labels:
app: antrea
- name: crdvalidator.antrea.io
webhooks:
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/tier
- name: tiervalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- - DELETE
- resources:
- - tiers
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/acnp
- name: acnpvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - clusternetworkpolicies
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/anp
- name: anpvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - networkpolicies
- scope: Namespaced
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/clustergroup
- name: clustergroupvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha3
- - v1alpha2
- operations:
- - CREATE
- - UPDATE
- resources:
- - clustergroups
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/externalippool
- name: externalippoolvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha2
- operations:
- - UPDATE
- resources:
- - externalippools
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/egress
- name: egressvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha2
- operations:
- - CREATE
- - UPDATE
- resources:
- - egresses
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: antrea
- namespace: kube-system
- path: /validate/ippool
- name: ippoolvalidator.antrea.io
- rules:
- - apiGroups:
- - crd.antrea.io
- apiVersions:
- - v1alpha2
- operations:
- - CREATE
- - UPDATE
- - DELETE
- resources:
- - ippools
- scope: Cluster
- sideEffects: None
- timeoutSeconds: 5
+ - name: "tiervalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/tier"
+ rules:
+ - operations: ["CREATE", "UPDATE", "DELETE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["tiers"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "acnpvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/acnp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["clusternetworkpolicies"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "anpvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/anp"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha1"]
+ resources: ["networkpolicies"]
+ scope: "Namespaced"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "clustergroupvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/clustergroup"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha3", "v1alpha2"]
+ resources: ["clustergroups"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "externalippoolvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/externalippool"
+ rules:
+ - operations: ["UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha2"]
+ resources: ["externalippools"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "egressvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/egress"
+ rules:
+ - operations: ["CREATE", "UPDATE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha2"]
+ resources: ["egresses"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ - name: "ippoolvalidator.antrea.io"
+ clientConfig:
+ service:
+ name: "antrea"
+ namespace: kube-system
+ path: "/validate/ippool"
+ rules:
+ - operations: ["CREATE", "UPDATE", "DELETE"]
+ apiGroups: ["crd.antrea.io"]
+ apiVersions: ["v1alpha2"]
+ resources: ["ippools"]
+ scope: "Cluster"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
diff --git a/build/yamls/base/conf/antrea-controller.conf b/build/yamls/base/conf/antrea-controller.conf
deleted file mode 100644
index 204153cb40c..00000000000
--- a/build/yamls/base/conf/antrea-controller.conf
+++ /dev/null
@@ -1,74 +0,0 @@
-# FeatureGates is a map of feature names to bools that enable or disable experimental features.
-featureGates:
-# Enable traceflow which provides packet tracing feature to diagnose network issue.
-# Traceflow: true
-
-# Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
-# to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
-# feature that supports priorities, rule actions and externalEntities in the future.
-# AntreaPolicy: true
-
-# Enable collecting and exposing NetworkPolicy statistics.
-# NetworkPolicyStats: true
-
-# Enable controlling SNAT IPs of Pod egress traffic.
-# Egress: true
-
-# Run Kubernetes NodeIPAMController with Antrea.
-# NodeIPAM: false
-
-# Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the
-# bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for
-# IPAM when configuring secondary network interfaces with Multus.
-# AntreaIPAM: false
-
-# Enable managing external IPs of Services of LoadBalancer type.
-# ServiceExternalIP: false
-
-# The port for the antrea-controller APIServer to serve on.
-# Note that if it's set to another value, the `containerPort` of the `api` port of the
-# `antrea-controller` container must be set to the same value.
-#apiPort: 10349
-
-# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
-#enablePrometheusMetrics: true
-
-# Indicates whether to use auto-generated self-signed TLS certificate.
-# If false, A Secret named "antrea-controller-tls" must be provided with the following keys:
-# ca.crt:
-# tls.crt:
-# tls.key:
-# And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
-# antrea-controller container.
-#selfSignedCert: true
-
-# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
-# https://golang.org/pkg/crypto/tls/#pkg-constants
-# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
-# prefer TLS1.3 Cipher Suites whenever possible.
-#tlsCipherSuites:
-
-# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
-#tlsMinVersion:
-
-nodeIPAM:
-# Enable the integrated Node IPAM controller within the Antrea controller.
-# enableNodeIPAM: false
-
-# CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges.
-# The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family.
-# Value ignored when enableNodeIPAM is false.
-# clusterCIDRs: []
-
-# CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs.
-# Value ignored when enableNodeIPAM is false.
-# serviceCIDR:
-# serviceCIDRv6:
-
-# Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false
-# or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30.
-# nodeCIDRMaskSizeIPv4: 24
-
-# Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
-# or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
-# nodeCIDRMaskSizeIPv6: 64
diff --git a/build/yamls/base/controller.yml b/build/yamls/base/controller.yml
deleted file mode 100644
index 7ce4a28da36..00000000000
--- a/build/yamls/base/controller.yml
+++ /dev/null
@@ -1,306 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- name: antrea
-spec:
- ports:
- - port: 443
- protocol: TCP
- targetPort: api
- selector:
- component: antrea-controller
----
-apiVersion: apiregistration.k8s.io/v1
-kind: APIService
-metadata:
- name: v1beta2.controlplane.antrea.io
-spec:
- group: controlplane.antrea.io
- groupPriorityMinimum: 100
- version: v1beta2
- versionPriority: 100
- service:
- name: antrea
- namespace: kube-system
----
-apiVersion: apiregistration.k8s.io/v1
-kind: APIService
-metadata:
- name: v1beta1.system.antrea.io
-spec:
- group: system.antrea.io
- groupPriorityMinimum: 100
- version: v1beta1
- versionPriority: 100
- service:
- name: antrea
- namespace: kube-system
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
- name: "crdmutator.antrea.io"
-webhooks:
- - name: "acnpmutator.antrea.io"
- clientConfig:
- service:
- name: "antrea"
- namespace: "kube-system"
- path: "/mutate/acnp"
- rules:
- - operations: ["CREATE", "UPDATE"]
- apiGroups: ["crd.antrea.io"]
- apiVersions: ["v1alpha1"]
- resources: ["clusternetworkpolicies"]
- scope: "Cluster"
- admissionReviewVersions: ["v1", "v1beta1"]
- sideEffects: None
- timeoutSeconds: 5
- - name: "anpmutator.antrea.io"
- clientConfig:
- service:
- name: "antrea"
- namespace: "kube-system"
- path: "/mutate/anp"
- rules:
- - operations: ["CREATE", "UPDATE"]
- apiGroups: ["crd.antrea.io"]
- apiVersions: ["v1alpha1"]
- resources: ["networkpolicies"]
- scope: "Namespaced"
- admissionReviewVersions: ["v1", "v1beta1"]
- sideEffects: None
- timeoutSeconds: 5
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- name: "crdvalidator.antrea.io"
-webhooks:
- - name: "tiervalidator.antrea.io"
- clientConfig:
- service:
- name: "antrea"
- namespace: "kube-system"
- path: "/validate/tier"
- rules:
- - operations: ["CREATE", "UPDATE", "DELETE"]
- apiGroups: ["crd.antrea.io"]
- apiVersions: ["v1alpha1"]
- resources: ["tiers"]
- scope: "Cluster"
- admissionReviewVersions: ["v1", "v1beta1"]
- sideEffects: None
- timeoutSeconds: 5
- - name: "acnpvalidator.antrea.io"
- clientConfig:
- service:
- name: "antrea"
- namespace: "kube-system"
- path: "/validate/acnp"
- rules:
- - operations: ["CREATE", "UPDATE"]
- apiGroups: ["crd.antrea.io"]
- apiVersions: ["v1alpha1"]
- resources: ["clusternetworkpolicies"]
- scope: "Cluster"
- admissionReviewVersions: ["v1", "v1beta1"]
- sideEffects: None
- timeoutSeconds: 5
- - name: "anpvalidator.antrea.io"
- clientConfig:
- service:
- name: "antrea"
- namespace: "kube-system"
- path: "/validate/anp"
- rules:
- - operations: ["CREATE", "UPDATE"]
- apiGroups: ["crd.antrea.io"]
- apiVersions: ["v1alpha1"]
- resources: ["networkpolicies"]
- scope: "Namespaced"
- admissionReviewVersions: ["v1", "v1beta1"]
- sideEffects: None
- timeoutSeconds: 5
- - name: "clustergroupvalidator.antrea.io"
- clientConfig:
- service:
- name: "antrea"
- namespace: "kube-system"
- path: "/validate/clustergroup"
- rules:
- - operations: ["CREATE", "UPDATE"]
- apiGroups: ["crd.antrea.io"]
- apiVersions: ["v1alpha3", "v1alpha2"]
- resources: ["clustergroups"]
- scope: "Cluster"
- admissionReviewVersions: ["v1", "v1beta1"]
- sideEffects: None
- timeoutSeconds: 5
- - name: "externalippoolvalidator.antrea.io"
- clientConfig:
- service:
- name: "antrea"
- namespace: "kube-system"
- path: "/validate/externalippool"
- rules:
- - operations: ["UPDATE"]
- apiGroups: ["crd.antrea.io"]
- apiVersions: ["v1alpha2"]
- resources: ["externalippools"]
- scope: "Cluster"
- admissionReviewVersions: ["v1", "v1beta1"]
- sideEffects: None
- timeoutSeconds: 5
- - name: "egressvalidator.antrea.io"
- clientConfig:
- service:
- name: "antrea"
- namespace: "kube-system"
- path: "/validate/egress"
- rules:
- - operations: ["CREATE", "UPDATE"]
- apiGroups: ["crd.antrea.io"]
- apiVersions: ["v1alpha2"]
- resources: ["egresses"]
- scope: "Cluster"
- admissionReviewVersions: ["v1", "v1beta1"]
- sideEffects: None
- timeoutSeconds: 5
- - name: "ippoolvalidator.antrea.io"
- clientConfig:
- service:
- name: "antrea"
- namespace: "kube-system"
- path: "/validate/ippool"
- rules:
- - operations: ["CREATE", "UPDATE", "DELETE"]
- apiGroups: ["crd.antrea.io"]
- apiVersions: ["v1alpha2"]
- resources: ["ippools"]
- scope: "Cluster"
- admissionReviewVersions: ["v1", "v1beta1"]
- sideEffects: None
- timeoutSeconds: 5
----
-apiVersion: apiregistration.k8s.io/v1
-kind: APIService
-metadata:
- name: v1alpha1.stats.antrea.io
-spec:
- group: stats.antrea.io
- groupPriorityMinimum: 100
- version: v1alpha1
- versionPriority: 100
- service:
- name: antrea
- namespace: kube-system
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: antrea-controller
- labels:
- component: antrea-controller
-spec:
- strategy:
- # Ensure the existing Pod is stopped before the new one is created.
- type: Recreate
- selector:
- matchLabels:
- component: antrea-controller
- template:
- metadata:
- labels:
- component: antrea-controller
- spec:
- nodeSelector:
- kubernetes.io/os: linux
- hostNetwork: true
- priorityClassName: system-cluster-critical
- tolerations:
- # Mark it as a critical add-on.
- - key: CriticalAddonsOnly
- operator: Exists
- # Allow it to schedule onto master nodes.
- - key: node-role.kubernetes.io/master
- effect: NoSchedule
- serviceAccountName: antrea-controller
- containers:
- - name: antrea-controller
- image: antrea
- resources:
- requests:
- cpu: "200m"
- command: ["antrea-controller"]
- # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).
- args: ["--config", "/etc/antrea/antrea-controller.conf", "--logtostderr=false", "--log_dir=/var/log/antrea", "--alsologtostderr", "--log_file_max_size=100", "--log_file_max_num=4", "--v=0"]
- env:
- # Provide pod and node information for clusterinformation CRD.
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- # Provide ServiceAccount name for validation webhook.
- - name: SERVICEACCOUNT_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.serviceAccountName
- - name: ANTREA_CONFIG_MAP_NAME
- value: "$(ANTREA_CONFIG_MAP_NAME)"
- ports:
- - containerPort: 10349
- name: api
- protocol: TCP
- readinessProbe:
- httpGet:
- host: localhost
- path: /readyz
- port: api
- scheme: HTTPS
- initialDelaySeconds: 5
- timeoutSeconds: 5
- periodSeconds: 10
- failureThreshold: 5
- livenessProbe:
- httpGet:
- host: localhost
- path: /livez
- port: api
- scheme: HTTPS
- timeoutSeconds: 5
- periodSeconds: 10
- failureThreshold: 5
- volumeMounts:
- - name: antrea-config
- mountPath: /etc/antrea/antrea-controller.conf
- subPath: antrea-controller.conf
- readOnly: true
- - name: antrea-controller-tls
- mountPath: /var/run/antrea/antrea-controller-tls
- - name: host-var-log-antrea
- mountPath: /var/log/antrea
- volumes:
- - name: antrea-config
- configMap:
- name: antrea-config
- # Make it optional as we only read it when selfSignedCert=false.
- - name: antrea-controller-tls
- secret:
- secretName: antrea-controller-tls
- defaultMode: 0400
- optional: true
- - name: host-var-log-antrea
- hostPath:
- path: /var/log/antrea
- type: DirectoryOrCreate
----
diff --git a/build/yamls/base/crds.yml b/build/yamls/base/crds.yml
deleted file mode 100644
index da3a2e916c4..00000000000
--- a/build/yamls/base/crds.yml
+++ /dev/null
@@ -1,2018 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: egresses.crd.antrea.io
-spec:
- group: crd.antrea.io
- versions:
- - name: v1alpha2
- served: true
- storage: true
- schema:
- openAPIV3Schema:
- type: object
- required:
- - spec
- properties:
- spec:
- type: object
- required:
- - appliedTo
- anyOf:
- - required:
- - egressIP
- - required:
- - externalIPPool
- properties:
- appliedTo:
- type: object
- properties:
- podSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- namespaceSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- egressIP:
- type: string
- oneOf:
- - format: ipv4
- - format: ipv6
- externalIPPool:
- type: string
- status:
- type: object
- properties:
- egressNode:
- type: string
- additionalPrinterColumns:
- - description: Specifies the SNAT IP address for the selected workloads.
- jsonPath: .spec.egressIP
- name: EgressIP
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- - description: The Owner Node of egress IP
- jsonPath: .status.egressNode
- name: Node
- type: string
- subresources:
- status: {}
- scope: Cluster
- names:
- plural: egresses
- singular: egress
- kind: Egress
- shortNames:
- - eg
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: externalippools.crd.antrea.io
-spec:
- group: crd.antrea.io
- versions:
- - name: v1alpha2
- served: true
- storage: true
- schema:
- openAPIV3Schema:
- type: object
- required:
- - spec
- properties:
- spec:
- type: object
- required:
- - ipRanges
- - nodeSelector
- properties:
- ipRanges:
- type: array
- items:
- type: object
- oneOf:
- - required:
- - cidr
- - required:
- - start
- - end
- properties:
- cidr:
- type: string
- format: cidr
- start:
- type: string
- oneOf:
- - format: ipv4
- - format: ipv6
- end:
- type: string
- oneOf:
- - format: ipv4
- - format: ipv6
- nodeSelector:
- type: object
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- status:
- type: object
- properties:
- usage:
- type: object
- properties:
- total:
- type: integer
- used:
- type: integer
- additionalPrinterColumns:
- - description: The number of total IPs
- jsonPath: .status.usage.total
- name: Total
- type: integer
- - description: The number of allocated IPs
- jsonPath: .status.usage.used
- name: Used
- type: integer
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- subresources:
- status: {}
- scope: Cluster
- names:
- plural: externalippools
- singular: externalippool
- kind: ExternalIPPool
- shortNames:
- - eip
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: ippools.crd.antrea.io
-spec:
- group: crd.antrea.io
- versions:
- - name: v1alpha2
- served: true
- storage: true
- schema:
- openAPIV3Schema:
- type: object
- required:
- - spec
- properties:
- spec:
- required:
- - ipVersion
- - ipRanges
- type: object
- properties:
- ipVersion:
- type: integer
- ipRanges:
- items:
- oneOf:
- - required:
- - cidr
- - gateway
- - prefixLength
- - required:
- - start
- - end
- - gateway
- - prefixLength
- properties:
- cidr:
- format: cidr
- type: string
- start:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- end:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- gateway:
- oneOf:
- - format: ipv4
- - format: ipv6
- type: string
- prefixLength:
- type: integer
- vlan:
- type: integer
- minimum: 0
- maximum: 4094
- type: object
- type: array
- status:
- properties:
- ipAddresses:
- items:
- properties:
- ipAddress:
- type: string
- owner:
- properties:
- pod:
- properties:
- name:
- type: string
- namespace:
- type: string
- containerID:
- type: string
- ifName:
- type: string
- type: object
- statefulSet:
- properties:
- name:
- type: string
- namespace:
- type: string
- index:
- type: integer
- type: object
- type: object
- phase:
- type: string
- type: object
- type: array
- type: object
- subresources:
- status: {}
- scope: Cluster
- names:
- plural: ippools
- singular: ippool
- kind: IPPool
- shortNames:
- - ipp
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: antreacontrollerinfos.crd.antrea.io
-spec:
- group: crd.antrea.io
- versions:
- - name: v1beta1
- served: true
- storage: true
- schema:
- openAPIV3Schema:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- additionalPrinterColumns:
- - description: Health status of the Controller
- jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status"
- name: Healthy
- type: string
- - description: Last time the Healthy Condition was updated
- jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime"
- name: Last Heartbeat
- type: date
- - description: Version of the Controller
- jsonPath: ".version"
- name: Version
- type: string
- priority: 1
- - description: Number of Agents connected to the Controller
- jsonPath: ".connectedAgentNum"
- name: Connected Agents
- type: integer
- priority: 1
- - description: Node on which the Controller is running
- jsonPath: ".nodeRef.name"
- name: Node
- type: string
- priority: 1
- - description: Number of Network Policies computed by Controller
- jsonPath: ".networkPolicyControllerInfo.networkPolicyNum"
- name: Num Network Policies
- type: integer
- priority: 2
- scope: Cluster
- names:
- plural: antreacontrollerinfos
- singular: antreacontrollerinfo
- kind: AntreaControllerInfo
- shortNames:
- - aci
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: antreaagentinfos.crd.antrea.io
-spec:
- group: crd.antrea.io
- versions:
- - name: v1beta1
- served: true
- storage: true
- schema:
- openAPIV3Schema:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- additionalPrinterColumns:
- - description: Health status of this Agent
- jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status"
- name: Healthy
- type: string
- - description: Last time the Healthy Condition was updated
- jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime"
- name: Last Heartbeat
- type: date
- - description: Version of this Agent
- jsonPath: ".version"
- name: Version
- type: string
- priority: 1
- - description: Node on which this Agent is running
- jsonPath: ".nodeRef.name"
- name: Node
- type: string
- priority: 1
- - description: Number of local Pods managed by this Agent
- jsonPath: ".localPodNum"
- name: Num Pods
- type: integer
- priority: 2
- - description: Subnets used by this Agent for Pod IPAM
- jsonPath: ".nodeSubnets"
- name: Subnets
- type: string
- priority: 2
- scope: Cluster
- names:
- plural: antreaagentinfos
- singular: antreaagentinfo
- kind: AntreaAgentInfo
- shortNames:
- - aai
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: traceflows.crd.antrea.io
-spec:
- group: crd.antrea.io
- versions:
- - name: v1alpha1
- served: true
- storage: true
- additionalPrinterColumns:
- - jsonPath: .status.phase
- description: The phase of the Traceflow.
- name: Phase
- type: string
- - jsonPath: .spec.source.pod
- description: The name of the source Pod.
- name: Source-Pod
- type: string
- priority: 10
- - jsonPath: .spec.destination.pod
- description: The name of the destination Pod.
- name: Destination-Pod
- type: string
- priority: 10
- - jsonPath: .spec.destination.ip
- description: The IP address of the destination.
- name: Destination-IP
- type: string
- priority: 10
- - jsonPath: .spec.liveTraffic
- description: Trace live traffic.
- name: Live-Traffic
- type: boolean
- priority: 10
- - jsonPath: .spec.droppedOnly
- description: Capture only the dropped packet.
- name: Dropped-Only
- type: boolean
- priority: 10
- - jsonPath: .spec.timeout
- description: Timeout in seconds.
- name: Timeout
- type: integer
- priority: 10
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- type: object
- required:
- - spec
- properties:
- spec:
- type: object
- properties:
- source:
- type: object
- properties:
- pod:
- type: string
- namespace:
- type: string
- ip:
- type: string
- oneOf:
- - format: ipv4
- - format: ipv6
- destination:
- type: object
- properties:
- pod:
- type: string
- service:
- type: string
- namespace:
- type: string
- ip:
- type: string
- oneOf:
- - format: ipv4
- - format: ipv6
- packet:
- type: object
- properties:
- ipHeader:
- type: object
- properties:
- srcIP:
- type: string
- oneOf:
- - format: ipv4
- - format: ipv6
- protocol:
- type: integer
- ttl:
- type: integer
- flags:
- type: integer
- ipv6Header:
- type: object
- properties:
- srcIP:
- type: string
- format: ipv6
- nextHeader:
- type: integer
- hopLimit:
- type: integer
- transportHeader:
- type: object
- properties:
- icmp:
- type: object
- properties:
- id:
- type: integer
- sequence:
- type: integer
- udp:
- type: object
- properties:
- srcPort:
- type: integer
- dstPort:
- type: integer
- tcp:
- type: object
- properties:
- srcPort:
- type: integer
- dstPort:
- type: integer
- flags:
- type: integer
- liveTraffic:
- type: boolean
- droppedOnly:
- type: boolean
- timeout:
- type: integer
- status:
- type: object
- properties:
- reason:
- type: string
- dataplaneTag:
- type: integer
- phase:
- type: string
- startTime:
- type: string
- results:
- type: array
- items:
- type: object
- properties:
- node:
- type: string
- role:
- type: string
- timestamp:
- type: integer
- observations:
- type: array
- items:
- type: object
- properties:
- component:
- type: string
- componentInfo:
- type: string
- action:
- type: string
- pod:
- type: string
- dstMAC:
- type: string
- networkPolicy:
- type: string
- ttl:
- type: integer
- translatedSrcIP:
- type: string
- translatedDstIP:
- type: string
- tunnelDstIP:
- type: string
- capturedPacket:
- properties:
- srcIP:
- type: string
- dstIP:
- type: string
- length:
- type: integer
- ipHeader:
- properties:
- flags:
- type: integer
- protocol:
- type: integer
- ttl:
- type: integer
- type: object
- ipv6Header:
- properties:
- hopLimit:
- type: integer
- nextHeader:
- type: integer
- type: object
- transportHeader:
- properties:
- tcp:
- properties:
- dstPort:
- type: integer
- srcPort:
- type: integer
- flags:
- type: integer
- type: object
- udp:
- properties:
- dstPort:
- type: integer
- srcPort:
- type: integer
- type: object
- icmp:
- properties:
- id:
- type: integer
- sequence:
- type: integer
- type: object
- type: object
- type: object
- subresources:
- status: {}
- scope: Cluster
- names:
- plural: traceflows
- singular: traceflow
- kind: Traceflow
- shortNames:
- - tf
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: tiers.crd.antrea.io
-spec:
- group: crd.antrea.io
- versions:
- - name: v1alpha1
- served: true
- storage: true
- additionalPrinterColumns:
- - name: Priority
- type: integer
- description: The Priority of this Tier relative to other Tiers.
- jsonPath: .spec.priority
- - name: Age
- type: date
- jsonPath: .metadata.creationTimestamp
- schema:
- openAPIV3Schema:
- type: object
- properties:
- spec:
- required:
- - priority
- type: object
- properties:
- priority:
- type: integer
- minimum: 0
- maximum: 255
- description:
- type: string
- scope: Cluster
- names:
- plural: tiers
- singular: tier
- kind: Tier
- shortNames:
- - tr
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: clusternetworkpolicies.crd.antrea.io
-spec:
- group: crd.antrea.io
- versions:
- - name: v1alpha1
- served: true
- storage: true
- additionalPrinterColumns:
- - name: Tier
- type: string
- description: The Tier to which this ClusterNetworkPolicy belongs to.
- jsonPath: .spec.tier
- - name: Priority
- type: number
- format: float
- description: The Priority of this ClusterNetworkPolicy relative to other policies.
- jsonPath: .spec.priority
- - name: Desired Nodes
- type: number
- format: int32
- description: The total number of Nodes that should realize the NetworkPolicy.
- jsonPath: .status.desiredNodesRealized
- - name: Current Nodes
- type: number
- format: int32
- description: The number of Nodes that have realized the NetworkPolicy.
- jsonPath: .status.currentNodesRealized
- - name: Age
- type: date
- jsonPath: .metadata.creationTimestamp
- schema:
- openAPIV3Schema:
- type: object
- properties:
- spec:
- # Ensure that Spec.Priority field is set
- required:
- - priority
- type: object
- properties:
- tier:
- type: string
- priority:
- type: number
- format: float
- # Ensure that Spec.Priority field is between 1 and 10000
- minimum: 1.0
- maximum: 10000.0
- appliedTo:
- type: array
- items:
- type: object
- # Ensure that Spec.AppliedTo does not allow IPBlock field
- properties:
- podSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- namespaceSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- group:
- type: string
- serviceAccount:
- type: object
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- ingress:
- type: array
- items:
- type: object
- required:
- - action
- properties:
- appliedTo:
- type: array
- items:
- type: object
- # Ensure that rule AppliedTo does not allow IPBlock field
- properties:
- podSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- namespaceSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- group:
- type: string
- serviceAccount:
- type: object
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- # Ensure that Action field allows only ALLOW, DROP and REJECT values
- action:
- type: string
- enum: ['Allow', 'Drop', 'Reject', 'Pass']
- ports:
- type: array
- items:
- type: object
- properties:
- protocol:
- type: string
- enum: ['TCP', 'UDP', 'SCTP']
- port:
- x-kubernetes-int-or-string: true
- endPort:
- type: integer
- from:
- type: array
- items:
- type: object
- properties:
- podSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- namespaceSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- namespaces:
- type: object
- properties:
- match:
- enum:
- - Self
- type: string
- ipBlock:
- type: object
- properties:
- cidr:
- type: string
- format: cidr
- group:
- type: string
- serviceAccount:
- type: object
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- nodeSelector:
- type: object
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- name:
- type: string
- enableLogging:
- type: boolean
- egress:
- type: array
- items:
- type: object
- required:
- - action
- properties:
- appliedTo:
- type: array
- items:
- type: object
- # Ensure that rule AppliedTo does not allow IPBlock field
- properties:
- podSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- namespaceSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- group:
- type: string
- serviceAccount:
- type: object
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- # Ensure that Action field allows only ALLOW, DROP and REJECT values
- action:
- type: string
- enum: ['Allow', 'Drop', 'Reject', 'Pass']
- ports:
- type: array
- items:
- type: object
- properties:
- protocol:
- type: string
- enum: ['TCP', 'UDP', 'SCTP']
- port:
- x-kubernetes-int-or-string: true
- endPort:
- type: integer
- to:
- type: array
- items:
- type: object
- properties:
- podSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- namespaceSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- namespaces:
- type: object
- properties:
- match:
- type: string
- ipBlock:
- type: object
- properties:
- cidr:
- type: string
- format: cidr
- group:
- type: string
- fqdn:
- type: string
- serviceAccount:
- type: object
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- nodeSelector:
- type: object
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- toServices:
- type: array
- items:
- type: object
- required:
- - name
- - namespace
- properties:
- name:
- type: string
- namespace:
- type: string
- name:
- type: string
- enableLogging:
- type: boolean
- status:
- type: object
- properties:
- phase:
- type: string
- observedGeneration:
- type: integer
- currentNodesRealized:
- type: integer
- desiredNodesRealized:
- type: integer
- subresources:
- status: {}
- scope: Cluster
- names:
- plural: clusternetworkpolicies
- singular: clusternetworkpolicy
- kind: ClusterNetworkPolicy
- shortNames:
- - acnp
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: networkpolicies.crd.antrea.io
-spec:
- group: crd.antrea.io
- versions:
- - name: v1alpha1
- served: true
- storage: true
- additionalPrinterColumns:
- - name: Tier
- type: string
- description: The Tier to which this Antrea NetworkPolicy belongs to.
- jsonPath: .spec.tier
- - name: Priority
- type: number
- format: float
- description: The Priority of this Antrea NetworkPolicy relative to other policies.
- jsonPath: .spec.priority
- - name: Desired Nodes
- type: number
- format: int32
- description: The total number of Nodes that should realize the NetworkPolicy.
- jsonPath: .status.desiredNodesRealized
- - name: Current Nodes
- type: number
- format: int32
- description: The number of Nodes that have realized the NetworkPolicy.
- jsonPath: .status.currentNodesRealized
- - name: Age
- type: date
- jsonPath: .metadata.creationTimestamp
- schema:
- openAPIV3Schema:
- type: object
- properties:
- spec:
- # Ensure that Spec.Priority field is set
- required:
- - priority
- type: object
- properties:
- tier:
- type: string
- priority:
- type: number
- format: float
- # Ensure that Spec.Priority field is between 1 and 10000
- minimum: 1.0
- maximum: 10000.0
- appliedTo:
- type: array
- items:
- type: object
- # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field
- properties:
- podSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- ingress:
- type: array
- items:
- type: object
- required:
- - action
- properties:
- appliedTo:
- type: array
- items:
- type: object
- # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field
- properties:
- podSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- # Ensure that Action field allows only ALLOW, DROP and REJECT values
- action:
- type: string
- enum: ['Allow', 'Drop', 'Reject', 'Pass']
- ports:
- type: array
- items:
- type: object
- properties:
- protocol:
- type: string
- enum: ['TCP', 'UDP', 'SCTP']
- port:
- x-kubernetes-int-or-string: true
- endPort:
- type: integer
- from:
- type: array
- items:
- type: object
- properties:
- podSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- namespaceSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- externalEntitySelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- ipBlock:
- type: object
- properties:
- cidr:
- type: string
- format: cidr
- nodeSelector:
- type: object
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- name:
- type: string
- enableLogging:
- type: boolean
- egress:
- type: array
- items:
- type: object
- required:
- - action
- properties:
- appliedTo:
- type: array
- items:
- type: object
- # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field
- properties:
- podSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- # Ensure that Action field allows only ALLOW, DROP and REJECT values
- action:
- type: string
- enum: ['Allow', 'Drop', 'Reject', 'Pass']
- ports:
- type: array
- items:
- type: object
- properties:
- # Ensure that Protocol field allows only TCP, UDP and SCTP values
- protocol:
- type: string
- enum: ['TCP', 'UDP', 'SCTP']
- port:
- x-kubernetes-int-or-string: true
- endPort:
- type: integer
- to:
- type: array
- items:
- type: object
- properties:
- podSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- namespaceSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- externalEntitySelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- ipBlock:
- type: object
- properties:
- cidr:
- type: string
- format: cidr
- fqdn:
- type: string
- nodeSelector:
- type: object
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- type: array
- type: object
- type: array
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- toServices:
- type: array
- items:
- type: object
- required:
- - name
- properties:
- name:
- type: string
- namespace:
- type: string
- name:
- type: string
- enableLogging:
- type: boolean
- status:
- type: object
- properties:
- phase:
- type: string
- observedGeneration:
- type: integer
- currentNodesRealized:
- type: integer
- desiredNodesRealized:
- type: integer
- subresources:
- status: {}
- scope: Namespaced
- names:
- plural: networkpolicies
- singular: networkpolicy
- kind: NetworkPolicy
- shortNames:
- - anp
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: externalentities.crd.antrea.io
-spec:
- group: crd.antrea.io
- versions:
- - name: v1alpha2
- served: true
- storage: true
- schema:
- openAPIV3Schema:
- type: object
- properties:
- spec:
- type: object
- properties:
- endpoints:
- type: array
- items:
- type: object
- properties:
- ip:
- type: string
- oneOf:
- - format: ipv4
- - format: ipv6
- name:
- type: string
- ports:
- type: array
- items:
- type: object
- properties:
- protocol:
- type: string
- enum: ['TCP', 'UDP', 'SCTP']
- port:
- x-kubernetes-int-or-string: true
- name:
- type: string
- externalNode:
- type: string
- - name: v1alpha1
- served: false
- storage: false
- schema:
- openAPIV3Schema:
- type: object
- scope: Namespaced
- names:
- plural: externalentities
- singular: externalentity
- kind: ExternalEntity
- shortNames:
- - ee
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: clustergroups.crd.antrea.io
-spec:
- group: crd.antrea.io
- versions:
- - name: v1alpha2
- served: true
- storage: false
- schema:
- openAPIV3Schema:
- type: object
- properties:
- spec:
- type: object
- properties:
- childGroups:
- type: array
- items:
- type: string
- podSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- namespaceSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- externalEntitySelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- ipBlock:
- type: object
- properties:
- cidr:
- type: string
- format: cidr
- ipBlocks:
- type: array
- items:
- type: object
- properties:
- cidr:
- type: string
- format: cidr
- serviceReference:
- type: object
- properties:
- name:
- type: string
- namespace:
- type: string
- status:
- type: object
- properties:
- conditions:
- type: array
- items:
- type: object
- properties:
- type:
- type: string
- status:
- type: string
- lastTransitionTime:
- type: string
- - name: v1alpha3
- served: true
- storage: true
- schema:
- openAPIV3Schema:
- type: object
- properties:
- spec:
- type: object
- properties:
- childGroups:
- type: array
- items:
- type: string
- podSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- namespaceSelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- externalEntitySelector:
- type: object
- properties:
- matchExpressions:
- type: array
- items:
- type: object
- properties:
- key:
- type: string
- operator:
- enum:
- - In
- - NotIn
- - Exists
- - DoesNotExist
- type: string
- values:
- type: array
- items:
- type: string
- pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
- matchLabels:
- x-kubernetes-preserve-unknown-fields: true
- ipBlocks:
- type: array
- items:
- type: object
- properties:
- cidr:
- type: string
- format: cidr
- serviceReference:
- type: object
- properties:
- name:
- type: string
- namespace:
- type: string
- status:
- type: object
- properties:
- conditions:
- type: array
- items:
- type: object
- properties:
- type:
- type: string
- status:
- type: string
- lastTransitionTime:
- type: string
- subresources:
- status: {}
- conversion:
- strategy: Webhook
- webhook:
- conversionReviewVersions: ["v1", "v1beta1"]
- clientConfig:
- service:
- name: "antrea"
- namespace: "kube-system"
- path: "/convert/clustergroup"
- scope: Cluster
- names:
- plural: clustergroups
- singular: clustergroup
- kind: ClusterGroup
- shortNames:
- - cg
----
diff --git a/build/yamls/base/kustomization.yml b/build/yamls/base/kustomization.yml
deleted file mode 100644
index 10bdbae589e..00000000000
--- a/build/yamls/base/kustomization.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-resources:
-- crds.yml
-- crds-rbac.yml
-- antctl.yml
-- controller-rbac.yml
-- controller.yml
-- agent-rbac.yml
-- agent.yml
-- cluster-identity-reader.yml
-configMapGenerator:
-- files:
- - conf/antrea-controller.conf
- - conf/antrea-agent.conf
- - conf/antrea-cni.conflist
- name: antrea-config
-commonLabels:
- app: antrea
-namespace: kube-system
- # Only a single active instance is supported for now.
-replicas:
-- count: 1
- name: antrea-controller
-vars:
- - name: ANTREA_CONFIG_MAP_NAME
- objref:
- kind: ConfigMap
- name: antrea-config
- apiVersion: v1
-
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
diff --git a/build/yamls/chart-values/antrea-aks.yml b/build/yamls/chart-values/antrea-aks.yml
new file mode 100644
index 00000000000..908c753f430
--- /dev/null
+++ b/build/yamls/chart-values/antrea-aks.yml
@@ -0,0 +1 @@
+trafficEncapMode: "networkPolicyOnly"
diff --git a/build/yamls/chart-values/antrea-eks.yml b/build/yamls/chart-values/antrea-eks.yml
new file mode 100644
index 00000000000..cc97b5b7462
--- /dev/null
+++ b/build/yamls/chart-values/antrea-eks.yml
@@ -0,0 +1,7 @@
+trafficEncapMode: "networkPolicyOnly"
+agent:
+ antreaAgent:
+ extraEnv:
+ # Antrea Agent needs to be aware that it is being used in EKS, as
+ # additional iptables rules may have to be installed.
+ ANTREA_CLOUD_EKS: "true"
diff --git a/build/yamls/chart-values/antrea-gke.yml b/build/yamls/chart-values/antrea-gke.yml
new file mode 100644
index 00000000000..9944593cc16
--- /dev/null
+++ b/build/yamls/chart-values/antrea-gke.yml
@@ -0,0 +1,3 @@
+trafficEncapMode: "noEncap"
+cni:
+ hostBinPath: "/home/kubernetes/bin"
diff --git a/build/yamls/chart-values/antrea-ipsec.yml b/build/yamls/chart-values/antrea-ipsec.yml
new file mode 100644
index 00000000000..d6770ea44a7
--- /dev/null
+++ b/build/yamls/chart-values/antrea-ipsec.yml
@@ -0,0 +1,3 @@
+trafficEncryptionMode: "ipsec"
+# change the tunnel type to GRE which works better with IPsec encryption than other types.
+tunnelType: "gre"
diff --git a/build/yamls/chart-values/antrea.yml b/build/yamls/chart-values/antrea.yml
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/build/yamls/patches/chaining/installCni.yml b/build/yamls/patches/chaining/installCni.yml
deleted file mode 100644
index 5e353352a19..00000000000
--- a/build/yamls/patches/chaining/installCni.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: antrea-agent
-spec:
- template:
- spec:
- initContainers:
- - name: install-cni
- command: ["install_cni_chaining"]
- securityContext:
- capabilities:
- add:
- # SYS_MODULE is required to load the OVS kernel module.
- - SYS_MODULE
diff --git a/build/yamls/patches/coverage/startAgentCov.yml b/build/yamls/patches/coverage/startAgentCov.yml
deleted file mode 100644
index 39812362b57..00000000000
--- a/build/yamls/patches/coverage/startAgentCov.yml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: antrea-agent
-spec:
- template:
- spec:
- initContainers:
- - name: install-cni
- image: antrea/antrea-ubuntu-coverage:latest
- containers:
- - name: antrea-agent
- command: ["/bin/sh"]
- args: ["-c", "sleep 2; antrea-agent-coverage -test.run=TestBincoverRunMain -test.coverprofile=antrea-agent.cov.out -args-file=/agent-arg-file; while true; do sleep 5 & wait $!; done"]
diff --git a/build/yamls/patches/coverage/startControllerCov.yml b/build/yamls/patches/coverage/startControllerCov.yml
deleted file mode 100644
index 8e1f187d60e..00000000000
--- a/build/yamls/patches/coverage/startControllerCov.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: antrea-controller
-spec:
- template:
- spec:
- containers:
- - command: ["/bin/sh"]
- args: ["-c", "antrea-controller-coverage -test.run=TestBincoverRunMain -test.coverprofile=antrea-controller.cov.out -args-file=/controller-arg-file; while true; do sleep 5 & wait $!; done"]
- name: antrea-controller
diff --git a/build/yamls/patches/dev/agentImagePullPolicy.yml b/build/yamls/patches/dev/agentImagePullPolicy.yml
deleted file mode 100644
index 51bf1ea8d98..00000000000
--- a/build/yamls/patches/dev/agentImagePullPolicy.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: antrea-agent
-spec:
- template:
- spec:
- containers:
- - name: antrea-agent
- imagePullPolicy: IfNotPresent
- - name: antrea-ovs
- imagePullPolicy: IfNotPresent
- initContainers:
- - name: install-cni
- imagePullPolicy: IfNotPresent
diff --git a/build/yamls/patches/dev/agentIpsecImagePullPolicy.yml b/build/yamls/patches/dev/agentIpsecImagePullPolicy.yml
deleted file mode 100644
index 50aabfcf2c3..00000000000
--- a/build/yamls/patches/dev/agentIpsecImagePullPolicy.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: antrea-agent
-spec:
- template:
- spec:
- containers:
- - name: antrea-ipsec
- imagePullPolicy: IfNotPresent
diff --git a/build/yamls/patches/dev/agentVerboseLog.yml b/build/yamls/patches/dev/agentVerboseLog.yml
deleted file mode 100644
index 4bfaaaeeea7..00000000000
--- a/build/yamls/patches/dev/agentVerboseLog.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: antrea-agent
-spec:
- template:
- spec:
- containers:
- - name: antrea-agent
- args: ["--config", "/etc/antrea/antrea-agent.conf", "--logtostderr=false", "--log_dir=/var/log/antrea", "--alsologtostderr", "--log_file_max_size=100", "--log_file_max_num=4", "--v=4"]
-
diff --git a/build/yamls/patches/dev/controllerImagePullPolicy.yml b/build/yamls/patches/dev/controllerImagePullPolicy.yml
deleted file mode 100644
index ce6bda61abb..00000000000
--- a/build/yamls/patches/dev/controllerImagePullPolicy.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: antrea-controller
-spec:
- template:
- spec:
- containers:
- - name: antrea-controller
- imagePullPolicy: IfNotPresent
diff --git a/build/yamls/patches/dev/controllerVerboseLog.yml b/build/yamls/patches/dev/controllerVerboseLog.yml
deleted file mode 100644
index 35f79946478..00000000000
--- a/build/yamls/patches/dev/controllerVerboseLog.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: antrea-controller
-spec:
- template:
- spec:
- containers:
- - name: antrea-controller
- args: ["--config", "/etc/antrea/antrea-controller.conf", "--logtostderr=false", "--log_dir=/var/log/antrea", "--alsologtostderr", "--log_file_max_size=100", "--log_file_max_num=4", "--v=4"]
-
diff --git a/build/yamls/patches/dev/onDeleteUpdateStrategy.yml b/build/yamls/patches/dev/onDeleteUpdateStrategy.yml
deleted file mode 100644
index 4e5d30be341..00000000000
--- a/build/yamls/patches/dev/onDeleteUpdateStrategy.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: antrea-agent
-spec:
- updateStrategy:
- type: OnDelete
diff --git a/build/yamls/patches/eks/eksEnv.yml b/build/yamls/patches/eks/eksEnv.yml
deleted file mode 100644
index 5ebae561433..00000000000
--- a/build/yamls/patches/eks/eksEnv.yml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: antrea-agent
-spec:
- template:
- spec:
- containers:
- - name: antrea-agent
- env:
- # Antrea Agent needs to be aware that it is being used in EKS, as
- # additional iptables rules may have to be installed.
- - name: ANTREA_CLOUD_EKS
- value: "true"
diff --git a/build/yamls/patches/gke/cniPath.yml b/build/yamls/patches/gke/cniPath.yml
deleted file mode 100644
index 671dbb31087..00000000000
--- a/build/yamls/patches/gke/cniPath.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: antrea-agent
-spec:
- template:
- spec:
- volumes:
- - hostPath:
- path: /home/kubernetes/bin
- name: host-cni-bin
diff --git a/build/yamls/patches/hwoffload/hwOffload.yml b/build/yamls/patches/hwoffload/hwOffload.yml
deleted file mode 100644
index bed398e1984..00000000000
--- a/build/yamls/patches/hwoffload/hwOffload.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: antrea-agent
-spec:
- template:
- spec:
- containers:
- - name: antrea-ovs
- command: ["start_ovs", "--hw-offload"]
-
diff --git a/build/yamls/patches/ipsec/ipsecContainer.yml b/build/yamls/patches/ipsec/ipsecContainer.yml
deleted file mode 100644
index a1225abdb54..00000000000
--- a/build/yamls/patches/ipsec/ipsecContainer.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: antrea-agent
-spec:
- template:
- spec:
- containers:
- - name: antrea-ipsec
- image: antrea
- resources:
- requests:
- cpu: "50m"
- command: ["start_ovs_ipsec"]
- livenessProbe:
- exec:
- command:
- - /bin/sh
- - -c
- - timeout 5 container_liveness_probe ovs-ipsec
- initialDelaySeconds: 5
- periodSeconds: 5
- securityContext:
- capabilities:
- add:
- - NET_ADMIN
- volumeMounts:
- - name: host-var-run-antrea
- mountPath: /var/run/openvswitch
- subPath: openvswitch
- - name: host-var-log-antrea
- mountPath: /var/log/openvswitch
- subPath: openvswitch
- - name: host-var-log-antrea
- mountPath: /var/log/strongswan
- subPath: strongswan
diff --git a/build/yamls/patches/ipsec/ipsecSecret.yml b/build/yamls/patches/ipsec/ipsecSecret.yml
deleted file mode 100644
index b0bb36a572a..00000000000
--- a/build/yamls/patches/ipsec/ipsecSecret.yml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: antrea-ipsec
- namespace: kube-system
-type: Opaque
-stringData:
- # Preshared Key used by IKE for authentication with peers.
- psk: changeme
diff --git a/build/yamls/patches/ipsec/pskEnv.yml b/build/yamls/patches/ipsec/pskEnv.yml
deleted file mode 100644
index 48d5fbaa7bb..00000000000
--- a/build/yamls/patches/ipsec/pskEnv.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: antrea-agent
-spec:
- template:
- spec:
- containers:
- - name: antrea-agent
- env:
- # Pre-shared key for IPsec IKE.
- - name: ANTREA_IPSEC_PSK
- valueFrom:
- secretKeyRef:
- name: antrea-ipsec
- key: psk
diff --git a/build/yamls/patches/kustomization.configMap.tpl.yml b/build/yamls/patches/kustomization.configMap.tpl.yml
deleted file mode 100644
index 08c34218f0a..00000000000
--- a/build/yamls/patches/kustomization.configMap.tpl.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-configMapGenerator:
-- name: antrea-config
- behavior: merge
- files:
- -
- -
diff --git a/build/yamls/patches/release/.gitignore b/build/yamls/patches/release/.gitignore
deleted file mode 100644
index fdffa2a0fd7..00000000000
--- a/build/yamls/patches/release/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-# placeholder
diff --git a/build/yamls/patches/simulator/agentNodeAffinity.yml b/build/yamls/patches/simulator/agentNodeAffinity.yml
deleted file mode 100644
index 1a922cecd3f..00000000000
--- a/build/yamls/patches/simulator/agentNodeAffinity.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: antrea-agent
-spec:
- template:
- spec:
- affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: antrea/instance
- operator: NotIn
- values:
- - simulator
diff --git a/build/yamls/patches/simulator/controllerNodeAffinity.yml b/build/yamls/patches/simulator/controllerNodeAffinity.yml
deleted file mode 100644
index e88e7e23d7d..00000000000
--- a/build/yamls/patches/simulator/controllerNodeAffinity.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: antrea-controller
-spec:
- template:
- spec:
- affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: antrea/instance
- operator: NotIn
- values:
- - simulator
diff --git a/build/yamls/patches/sriov/sriov.yml b/build/yamls/patches/sriov/sriov.yml
deleted file mode 100644
index f56c5466e02..00000000000
--- a/build/yamls/patches/sriov/sriov.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: antrea-agent
-spec:
- template:
- spec:
- containers:
- - name: antrea-agent
- volumeMounts:
- - mountPath: /var/lib/kubelet
- name: host-kubelet
- readOnly: true
- volumes:
- - hostPath:
- path: /var/lib/kubelet
- name: host-kubelet
diff --git a/build/yamls/patches/whereabouts/whereabouts-rbac.yml b/build/yamls/patches/whereabouts/whereabouts-rbac.yml
deleted file mode 100644
index 6492ac97a96..00000000000
--- a/build/yamls/patches/whereabouts/whereabouts-rbac.yml
+++ /dev/null
@@ -1,46 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: whereabouts-cni-secret
- annotations:
- kubernetes.io/service-account.name: antrea-agent-whereabouts
-type: kubernetes.io/service-account-token
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: antrea-agent-whereabouts
- namespace: kube-system
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: antrea-agent-whereabouts
-rules:
- - apiGroups:
- - whereabouts.cni.cncf.io
- resources:
- - ippools
- verbs:
- - get
- - put
- - watch
- - list
- - update
- - patch
- - create
- - delete
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: antrea-agent-whereabouts
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: antrea-agent-whereabouts
-subjects:
- - kind: ServiceAccount
- name: antrea-agent-whereabouts
- namespace: kube-system
diff --git a/build/yamls/patches/whereabouts/whereabouts.yml b/build/yamls/patches/whereabouts/whereabouts.yml
deleted file mode 100644
index 3ada5ac9bae..00000000000
--- a/build/yamls/patches/whereabouts/whereabouts.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: antrea-agent
-spec:
- template:
- spec:
- initContainers:
- - name: install-whereabouts-config
- image: antrea
- resources:
- requests:
- cpu: "100m"
- command: ["install_whereabouts_config"]
- volumeMounts:
- - name: whereabouts-cni-conf
- mountPath: /host/etc/cni/net.d/whereabouts.d
- - name: whereabouts-secret
- mountPath: /var/run/secrets/whereabouts
- containers:
- - name: antrea-agent
- volumeMounts:
- - name: whereabouts-cni-conf
- mountPath: /host/etc/cni/net.d/whereabouts.d
- - name: whereabouts-secret
- mountPath: /var/run/secrets/whereabouts
- volumes:
- - hostPath:
- path: /host/etc/cni/net.d/whereabouts.d
- name: whereabouts-cni-conf
- - name: whereabouts-secret
- secret:
- secretName: whereabouts-cni-secret
diff --git a/ci/kind/test-e2e-kind.sh b/ci/kind/test-e2e-kind.sh
index 5b56d038241..6d9d7e94337 100755
--- a/ci/kind/test-e2e-kind.sh
+++ b/ci/kind/test-e2e-kind.sh
@@ -208,9 +208,9 @@ function run_test {
if $proxy_all; then
apiserver=$(docker exec -i kind-control-plane kubectl get endpoints kubernetes --no-headers | awk '{print $2}')
if $coverage; then
- docker exec -i kind-control-plane sed -i.bak -E "s/^[[:space:]]*#kubeAPIServerOverride[[:space:]]*:[[:space:]]*[a-z\"]+[[:space:]]*$/ kubeAPIServerOverride: \"$apiserver\"/" /root/antrea-coverage.yml /root/antrea-ipsec-coverage.yml
+ docker exec -i kind-control-plane sed -i.bak -E "s/^[[:space:]]*[#]?kubeAPIServerOverride[[:space:]]*:[[:space:]]*[a-z\"]+[[:space:]]*$/ kubeAPIServerOverride: \"$apiserver\"/" /root/antrea-coverage.yml /root/antrea-ipsec-coverage.yml
else
- docker exec -i kind-control-plane sed -i.bak -E "s/^[[:space:]]*#kubeAPIServerOverride[[:space:]]*:[[:space:]]*[a-z\"]+[[:space:]]*$/ kubeAPIServerOverride: \"$apiserver\"/" /root/antrea.yml /root/antrea-ipsec.yml
+ docker exec -i kind-control-plane sed -i.bak -E "s/^[[:space:]]*[#]?kubeAPIServerOverride[[:space:]]*:[[:space:]]*[a-z\"]+[[:space:]]*$/ kubeAPIServerOverride: \"$apiserver\"/" /root/antrea.yml /root/antrea-ipsec.yml
fi
fi
sleep 1
diff --git a/.markdownlint-config.yml b/hack/.markdownlint-config.yml
similarity index 100%
rename from .markdownlint-config.yml
rename to hack/.markdownlint-config.yml
diff --git a/hack/.markdownlint-ignore b/hack/.markdownlint-ignore
new file mode 100644
index 00000000000..724578f287c
--- /dev/null
+++ b/hack/.markdownlint-ignore
@@ -0,0 +1,6 @@
+CHANGELOG/
+CHANGELOG.md
+hack/netpol
+CODE_OF_CONDUCT.md
+# auto-generated file
+build/charts/antrea/README.md
diff --git a/hack/generate-manifest.sh b/hack/generate-manifest.sh
index fcb427c5f64..9209f279dad 100755
--- a/hack/generate-manifest.sh
+++ b/hack/generate-manifest.sh
@@ -21,7 +21,7 @@ function echoerr {
}
_usage="Usage: $0 [--mode (dev|release)] [--encap-mode] [--ipsec] [--no-proxy] [--no-np] [--keep] [--tun (geneve|vxlan|gre|stt)] [--verbose-log] [--help|-h]
-Generate a YAML manifest for Antrea using Kustomize and print it to stdout.
+Generate a YAML manifest for Antrea using Helm and print it to stdout.
--mode (dev|release) Choose the configuration variant that you need (default is 'dev')
--encap-mode Traffic encapsulation mode. (default is 'encap')
--cloud Generate a manifest appropriate for running Antrea in Public Cloud
@@ -29,10 +29,8 @@ Generate a YAML manifest for Antrea using Kustomize and print it to stdout.
--all-features Generate a manifest with all alpha features enabled
--no-proxy Generate a manifest with Antrea proxy disabled
--proxy-all Generate a manifest with Antrea proxy with all Service support enabled
- --no-legacy-crd Generate a manifest without legacy CRD mirroring support enabled
--endpointslice Generate a manifest with EndpointSlice support enabled
--no-np Generate a manifest with Antrea-native policies disabled
- --keep Debug flag which will preserve the generated kustomization.yml
--tun (geneve|vxlan|gre|stt) Choose encap tunnel type from geneve, gre, stt and vxlan (default is geneve)
--verbose-log Generate a manifest with increased log-level (level 4) for Antrea agent and controller.
This option will work only in 'dev' mode.
@@ -53,11 +51,10 @@ In 'release' mode, environment variables IMG_NAME and IMG_TAG must be set.
In 'dev' mode, environment variable IMG_NAME can be set to use a custom image.
-This tool uses kustomize (https://github.com/kubernetes-sigs/kustomize) to generate manifests for
-Antrea. You can set the KUSTOMIZE environment variable to the path of the kustomize binary you want
-us to use. Otherwise we will download the appropriate version of the kustomize binary and use
-it (this is the recommended approach since different versions of kustomize may create different
-output YAMLs)."
+This tool uses Helm 3 (https://helm.sh/) to generate manifests for Antrea. You can set the HELM
+environment variable to the path of the helm binary you want us to use. Otherwise we will download
+the appropriate version of the helm binary and use it (this is the recommended approach since
+different versions of helm may create different output YAMLs)."
function print_usage {
echoerr "$_usage"
@@ -72,7 +69,6 @@ IPSEC=false
ALLFEATURES=false
PROXY=true
PROXY_ALL=false
-LEGACY_CRD=true
ENDPOINTSLICE=false
NP=true
KEEP=false
@@ -130,10 +126,6 @@ case $key in
PROXY_ALL=true
shift
;;
- --no-legacy-crd)
- LEGACY_CRD=false
- shift
- ;;
--endpointslice)
PROXY=true
ENDPOINTSLICE=true
@@ -277,264 +269,150 @@ fi
THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-source $THIS_DIR/verify-kustomize.sh
+# Avoid potential Helm warnings about invalid permissions for Kubeconfig file.
+# The Kubeconfig does not matter for "helm template".
+unset KUBECONFIG
-if [ -z "$KUSTOMIZE" ]; then
- KUSTOMIZE="$(verify_kustomize)"
-elif ! $KUSTOMIZE version > /dev/null 2>&1; then
- echoerr "$KUSTOMIZE does not appear to be a valid kustomize binary"
+source $THIS_DIR/verify-helm.sh
+
+if [ -z "$HELM" ]; then
+ HELM="$(verify_helm)"
+elif ! $HELM version > /dev/null 2>&1; then
+ echoerr "$HELM does not appear to be a valid helm binary"
print_help
exit 1
fi
-KUSTOMIZATION_DIR=$THIS_DIR/../build/yamls
-
-TMP_DIR=$(mktemp -d $KUSTOMIZATION_DIR/overlays.XXXXXXXX)
-
-pushd $TMP_DIR > /dev/null
-
-BASE=../../base
-
-# do all ConfigMap edits
-mkdir configMap && cd configMap
-# user is not expected to make changes directly to antrea-agent.conf and antrea-controller.conf,
-# but instead to the generated YAML manifest, so our regexs need not be too robust.
-cp $KUSTOMIZATION_DIR/base/conf/antrea-agent.conf antrea-agent.conf
-cp $KUSTOMIZATION_DIR/base/conf/antrea-controller.conf antrea-controller.conf
+TMP_DIR=$(mktemp -d $THIS_DIR/../build/yamls/chart-values.XXXXXXXX)
+HELM_VALUES=()
+HELM_VALUES_FILES=()
if $IPSEC; then
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*trafficEncryptionMode[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/trafficEncryptionMode: ipsec/" antrea-agent.conf
- # change the tunnel type to GRE which works better with IPsec encryption than other types.
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*tunnelType[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/tunnelType: gre/" antrea-agent.conf
+ HELM_VALUES+=("trafficEncryptionMode=ipsec" "tunnelType=gre")
fi
if $FLEXIBLE_IPAM; then
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*AntreaIPAM[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ AntreaIPAM: true/" antrea-controller.conf
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*AntreaIPAM[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ AntreaIPAM: true/" antrea-agent.conf
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*enableBridgingMode[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/enableBridgingMode: true/" antrea-agent.conf
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*trafficEncapMode[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/trafficEncapMode: noEncap/" antrea-agent.conf
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*noSNAT[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/noSNAT: true/" antrea-agent.conf
+ HELM_VALUES+=("featureGates.AntreaIPAM=true" "enableBridgingMode=true" "trafficEncapMode=noEncap" "noSNAT=true")
fi
if $MULTICAST; then
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*trafficEncapMode[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/trafficEncapMode: noEncap/" antrea-agent.conf
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*Multicast[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ Multicast: true/" antrea-agent.conf
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*multicastInterfaces[[:space:]]*:[[:space:]]*\[([a-zA-Z0-9]*,[[:space:]]*)*[a-zA-Z0-9]*\][[:space:]]*$/multicastInterfaces: [$MULTICAST_INTERFACES]/" antrea-agent.conf
+ HELM_VALUES+=("trafficEncapMode=noEncap" "featureGates.Multicast=true" "multicastInterfaces={$MULTICAST_INTERFACES}")
fi
if $ALLFEATURES; then
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*AntreaPolicy[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ AntreaPolicy: true/" antrea-agent.conf
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*FlowExporter[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ FlowExporter: true/" antrea-agent.conf
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*NetworkPolicyStats[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ NetworkPolicyStats: true/" antrea-agent.conf
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*EndpointSlice[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ EndpointSlice: true/" antrea-agent.conf
- sed -i.bak -E "s/^[[:space:]]*#proxyAll[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ proxyAll: true/" antrea-agent.conf
+ HELM_VALUES+=("featureGates.FlowExporter=true" "featureGates.EndpointSlice=true" "antreaProxy.proxyAll=true")
fi
if ! $PROXY; then
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*AntreaProxy[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ AntreaProxy: false/" antrea-agent.conf
+ HELM_VALUES+=("featureGates.AntreaProxy=false")
fi
if $PROXY_ALL; then
- sed -i.bak -E "s/^[[:space:]]*#proxyAll[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ proxyAll: true/" antrea-agent.conf
-fi
-
-if ! $LEGACY_CRD; then
- sed -i.bak -E "s/^#legacyCRDMirroring[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/legacyCRDMirroring: false/" antrea-controller.conf
+ HELM_VALUES+=("antreaProxy.proxyAll=true")
fi
if $ENDPOINTSLICE; then
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*EndpointSlice[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ EndpointSlice: true/" antrea-agent.conf
+ HELM_VALUES+=("featureGates.EndpointSlice=true")
fi
if ! $NP; then
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*AntreaPolicy[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ AntreaPolicy: false/" antrea-controller.conf
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*AntreaPolicy[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ AntreaPolicy: false/" antrea-agent.conf
+ HELM_VALUES+=("featureGates.AntreaPolicy=false")
fi
if [[ $ENCAP_MODE != "" ]]; then
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*trafficEncapMode[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/trafficEncapMode: $ENCAP_MODE/" antrea-agent.conf
+ HELM_VALUES+=("trafficEncapMode=$ENCAP_MODE")
fi
if [[ $TUN_TYPE != "geneve" ]]; then
- sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*tunnelType[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/tunnelType: $TUN_TYPE/" antrea-agent.conf
-fi
-
-if [[ $CLOUD != "" ]]; then
- # Delete the serviceCIDR parameter for the cloud (AKS, EKS, GKE) deployment yamls, because
- # AntreaProxy is always enabled for the cloud managed K8s clusters, and the serviceCIDR
- # parameter is not needed in this case.
- # delete all blank lines after "#serviceCIDR:"
- sed -i.bak '/#serviceCIDR:/,/^$/{/^$/d;}' antrea-agent.conf
- # delete lines from "# ClusterIP CIDR range for Services" to "#serviceCIDR:"
- sed -i.bak '/# ClusterIP CIDR range for Services/,/#serviceCIDR:/d' antrea-agent.conf
-fi
-
-# unfortunately 'kustomize edit add configmap' does not support specifying 'merge' as the behavior,
-# which is why we use a template kustomization file.
-sed -e "s//antrea-agent.conf/; s//antrea-controller.conf/" ../../patches/kustomization.configMap.tpl.yml > kustomization.yml
-$KUSTOMIZE edit add base $BASE
-BASE=../configMap
-cd ..
-
-if $IPSEC; then
- mkdir ipsec && cd ipsec
- # we copy the patch files to avoid having to use the '--load-restrictor. flag when calling
- # 'kustomize build'. See https://github.com/kubernetes-sigs/kustomize/blob/master/docs/FAQ.md#security-file-foo-is-not-in-or-below-bar
- cp ../../patches/ipsec/*.yml .
- touch kustomization.yml
- $KUSTOMIZE edit add base $BASE
- # create a K8s Secret to save the PSK (pre-shared key) for IKE authentication.
- $KUSTOMIZE edit add resource ipsecSecret.yml
- # add a container to the Agent DaemonSet that runs the OVS IPsec and strongSwan daemons.
- $KUSTOMIZE edit add patch --path ipsecContainer.yml
- # add an environment variable to the antrea-agent container for passing the PSK to Agent.
- $KUSTOMIZE edit add patch --path pskEnv.yml
- BASE=../ipsec
- cd ..
+ HELM_VALUES+=("tunnelType=$TUN_TYPE")
fi
if $COVERAGE; then
- mkdir coverage && cd coverage
- cp ../../patches/coverage/*.yml .
- touch kustomization.yml
- $KUSTOMIZE edit add base $BASE
- # this runs antrea-controller via the instrumented binary.
- $KUSTOMIZE edit add patch --path startControllerCov.yml
- # this runs antrea-agent via the instrumented binary.
- $KUSTOMIZE edit add patch --path startAgentCov.yml
- BASE=../coverage
- cd ..
+ HELM_VALUES+=("testing.coverage=true")
fi
-if [[ $ENCAP_MODE == "networkPolicyOnly" ]] ; then
- mkdir chaining && cd chaining
- cp ../../patches/chaining/*.yml .
- touch kustomization.yml
- $KUSTOMIZE edit add base $BASE
- # change initContainer script and add antrea to CNI chain
- $KUSTOMIZE edit add patch --path installCni.yml
- BASE=../chaining
- cd ..
-fi
-
if [[ $CLOUD == "GKE" ]]; then
- mkdir gke && cd gke
- cp ../../patches/gke/*.yml .
- touch kustomization.yml
- $KUSTOMIZE edit add base $BASE
- $KUSTOMIZE edit add patch --path cniPath.yml
- BASE=../gke
- cd ..
+ HELM_VALUES+=("cni.hostBinPath=/home/kubernetes/bin")
fi
if [[ $CLOUD == "EKS" ]]; then
- mkdir eks && cd eks
- cp ../../patches/eks/*.yml .
- touch kustomization.yml
- $KUSTOMIZE edit add base $BASE
- $KUSTOMIZE edit add patch --path eksEnv.yml
- BASE=../eks
- cd ..
+ HELM_VALUES+=("agent.antreaAgent.extraEnv.ANTREA_CLOUD_EKS=true")
fi
if $SIMULATOR; then
- mkdir simulator && cd simulator
- cp ../../patches/simulator/*.yml .
- touch kustomization.yml
- $KUSTOMIZE edit add base $BASE
- $KUSTOMIZE edit add patch --path agentNodeAffinity.yml
- $KUSTOMIZE edit add patch --path controllerNodeAffinity.yml
- $KUSTOMIZE edit add resource antrea-agent-simulator.yml
- BASE=../simulator
- cd ..
+ HELM_VALUES+=("testing.simulator.enable=true")
fi
if $CUSTOM_ADM_CONTROLLER; then
- mkdir admissioncontroller && cd admissioncontroller
- cp ../../patches/admissioncontroller/*.yml .
- touch kustomization.yml
- $KUSTOMIZE edit add base $BASE
- $KUSTOMIZE edit add resource webhook.yml
- BASE=../admissioncontroller
- cd ..
+ HELM_VALUES+=("webhooks.labelsMutator.enable=true")
fi
if $HW_OFFLOAD; then
- mkdir hwoffload && cd hwoffload
- cp ../../patches/hwoffload/hwOffload.yml .
- touch kustomization.yml
- $KUSTOMIZE edit add base $BASE
- $KUSTOMIZE edit add patch --path hwOffload.yml
- BASE=../hwoffload
- cd ..
+ HELM_VALUES+=("ovs.hwOffload=true")
fi
if $SRIOV; then
- mkdir sriov && cd sriov
- cp ../../patches/sriov/sriov.yml .
- touch kustomization.yml
- $KUSTOMIZE edit add base $BASE
- $KUSTOMIZE edit add patch --path sriov.yml
- BASE=../sriov
- cd ..
+ cat << EOF > $TMP_DIR/sriov.yml
+agent:
+ antreaAgent:
+ extraVolumeMounts:
+ - mountPath: /var/lib/kubelet
+ name: host-kubelet
+ readOnly: true
+ extraVolumes:
+ - hostPath:
+ path: /var/lib/kubelet
+ name: host-kubelet
+EOF
+ HELM_VALUES_FILES+=("$TMP_DIR/sriov.yml")
fi
if $WHEREABOUTS; then
- mkdir whereabouts && cd whereabouts
- cp ../../patches/whereabouts/*.yml .
- touch kustomization.yml
- $KUSTOMIZE edit add base $BASE
- $KUSTOMIZE edit add patch --path whereabouts.yml
- $KUSTOMIZE edit add resource whereabouts-rbac.yml
- BASE=../whereabouts
- cd ..
-fi
-
-mkdir $MODE && cd $MODE
-touch kustomization.yml
-$KUSTOMIZE edit add base $BASE
-# ../../patches/$MODE may be empty so we use find and not simply cp
-find ../../patches/$MODE -name \*.yml -exec cp {} . \;
+ HELM_VALUES+=("whereabouts.enable=true")
+fi
if [ "$MODE" == "dev" ]; then
if [[ -z "$IMG_NAME" ]]; then
if $COVERAGE; then
- IMG_NAME="antrea/antrea-ubuntu-coverage:latest"
- else
- IMG_NAME="projects.registry.vmware.com/antrea/antrea-ubuntu:latest"
+ HELM_VALUES+=("image.repository=antrea/antrea-ubuntu-coverage")
fi
+ else
+ HELM_VALUES+=("image.repository=$IMG_NAME")
fi
- $KUSTOMIZE edit set image antrea=$IMG_NAME
-
- $KUSTOMIZE edit add patch --path agentImagePullPolicy.yml
- $KUSTOMIZE edit add patch --path controllerImagePullPolicy.yml
if $VERBOSE_LOG; then
- $KUSTOMIZE edit add patch --path agentVerboseLog.yml
- $KUSTOMIZE edit add patch --path controllerVerboseLog.yml
- fi
-
- # only required because there is no good way at the moment to update the imagePullPolicy for all
- # containers. See https://github.com/kubernetes-sigs/kustomize/issues/1493
- if $IPSEC; then
- $KUSTOMIZE edit add patch --path agentIpsecImagePullPolicy.yml
+ HELM_VALUES+=("logVerbosity=4")
fi
if $ON_DELETE; then
- $KUSTOMIZE edit add patch --path onDeleteUpdateStrategy.yml
+ HELM_VALUES+=("agent.updateStrategy.type=OnDelete")
fi
fi
if [ "$MODE" == "release" ]; then
- $KUSTOMIZE edit set image antrea=$IMG_NAME:$IMG_TAG
+ HELM_VALUES+=("image.repository=$IMG_NAME,image.tag=$IMG_TAG")
+fi
+
+delim=""
+HELM_VALUES_OPTION=""
+for v in "${HELM_VALUES[@]}"; do
+ HELM_VALUES_OPTION="$HELM_VALUES_OPTION$delim$v"
+ delim=","
+done
+if [ "$HELM_VALUES_OPTION" != "" ]; then
+ HELM_VALUES_OPTION="--set $HELM_VALUES_OPTION"
fi
-$KUSTOMIZE build
+HELM_VALUES_FILES_OPTION=""
+for v in "${HELM_VALUES_FILES[@]}"; do
+ HELM_VALUES_FILES_OPTION="$HELM_VALUES_FILES_OPTION -f $v"
+done
-popd > /dev/null
+ANTREA_CHART="$THIS_DIR/../build/charts/antrea"
+$HELM template \
+ --namespace kube-system \
+ $HELM_VALUES_OPTION \
+ $HELM_VALUES_FILES_OPTION \
+ "$ANTREA_CHART"
-if $KEEP; then
- echoerr "Kustomization file is at $TMP_DIR/$MODE/kustomization.yml"
-else
- rm -rf $TMP_DIR
-fi
+rm -rf $TMP_DIR
diff --git a/hack/generate-standard-manifests.sh b/hack/generate-standard-manifests.sh
new file mode 100755
index 00000000000..9f29fe03bf8
--- /dev/null
+++ b/hack/generate-standard-manifests.sh
@@ -0,0 +1,132 @@
+#!/usr/bin/env bash
+
+# Copyright 2022 Antrea Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -eo pipefail
+
+function echoerr {
+ >&2 echo "$@"
+}
+
+_usage="Usage: $0 [--mode (dev|release)] --out
+Generate standard YAML manifests for Antrea using Helm and writes them to output directory.
+ --mode (dev|release) Choose the configuration variant that you need (default is 'dev')
+ --out Output directory for generated manifetss
+ --help, -h Print this message and exit
+
+In 'release' mode, environment variables IMG_NAME and IMG_TAG must be set.
+
+In 'dev' mode, environment variable IMG_NAME can be set to use a custom image.
+
+This tool uses Helm 3 (https://helm.sh/) to generate the \"standard\" manifests for Antrea. These
+are the manifests that are checked-in into the Antrea source tree, and that are uploaded as release
+assets for each new Antrea release. This script looks for all the Helm values YAML files under
+/build/yamls/chart-values/, and generates the corresponding manifest for each one.
+
+You can set the HELM environment variable to the path of the helm binary you wan t us to
+use. Otherwise we will download the appropriate version of the helm binary and use it (this is the
+recommended approach since different versions of helm may create different output YAMLs)."
+
+function print_usage {
+ echoerr "$_usage"
+}
+
+function print_help {
+ echoerr "Try '$0 --help' for more information."
+}
+
+MODE="dev"
+OUTPUT_DIR=""
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+ --mode)
+ MODE="$2"
+ shift 2
+ ;;
+ --out)
+ OUTPUT_DIR="$2"
+ shift 2
+ ;;
+ -h|--help)
+ print_usage
+ exit 0
+ ;;
+ *) # unknown option
+ echoerr "Unknown option $1"
+ exit 1
+ ;;
+esac
+done
+
+if [ "$MODE" != "dev" ] && [ "$MODE" != "release" ]; then
+ echoerr "--mode must be one of 'dev' or 'release'"
+ print_help
+ exit 1
+fi
+
+if [ "$MODE" == "release" ] && [ -z "$IMG_NAME" ]; then
+ echoerr "In 'release' mode, environment variable IMG_NAME must be set"
+ print_help
+ exit 1
+fi
+
+if [ "$MODE" == "release" ] && [ -z "$IMG_TAG" ]; then
+ echoerr "In 'release' mode, environment variable IMG_TAG must be set"
+ print_help
+ exit 1
+fi
+
+if [ "$OUTPUT_DIR" == "" ]; then
+ echoerr "--out is required to provide output directory for generated manifests"
+ print_help
+ exit 1
+fi
+
+THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+# Avoid potential Helm warnings about invalid permissions for Kubeconfig file.
+# The Kubeconfig does not matter for "helm template".
+unset KUBECONFIG
+
+source $THIS_DIR/verify-helm.sh
+
+if [ -z "$HELM" ]; then
+ HELM="$(verify_helm)"
+elif ! $HELM version > /dev/null 2>&1; then
+ echoerr "$HELM does not appear to be a valid helm binary"
+ print_help
+ exit 1
+fi
+
+EXTRA_VALUES=""
+if [ "$MODE" == "release" ]; then
+ EXTRA_VALUES="--set image.repository=$IMG_NAME,image.tag=$IMG_TAG"
+fi
+
+ANTREA_CHART="$THIS_DIR/../build/charts/antrea"
+VALUES_DIR="$THIS_DIR/../build/yamls/chart-values"
+VALUES_FILES=$(cd $VALUES_DIR && find * -type f -name "*.yml" )
+for values in $VALUES_FILES; do
+ $HELM template \
+ --namespace kube-system \
+ -f "$VALUES_DIR/$values" \
+ $EXTRA_VALUES \
+ "$ANTREA_CHART" \
+ > "$OUTPUT_DIR/$values"
+done
diff --git a/hack/release/prepare-assets.sh b/hack/release/prepare-assets.sh
index 6055f1e261b..f90831be9dd 100755
--- a/hack/release/prepare-assets.sh
+++ b/hack/release/prepare-assets.sh
@@ -70,11 +70,7 @@ sed "s/AntreaVersion=\"latest\"/AntreaVersion=\"$VERSION\"/" ./hack/windows/Star
export IMG_TAG=$VERSION
export IMG_NAME=projects.registry.vmware.com/antrea/antrea-ubuntu
-./hack/generate-manifest.sh --mode release > "$OUTPUT_DIR"/antrea.yml
-./hack/generate-manifest.sh --mode release --ipsec > "$OUTPUT_DIR"/antrea-ipsec.yml
-./hack/generate-manifest.sh --mode release --cloud EKS --encap-mode networkPolicyOnly > "$OUTPUT_DIR"/antrea-eks.yml
-./hack/generate-manifest.sh --mode release --cloud GKE --encap-mode noEncap > "$OUTPUT_DIR"/antrea-gke.yml
-./hack/generate-manifest.sh --mode release --cloud AKS --encap-mode networkPolicyOnly > "$OUTPUT_DIR"/antrea-aks.yml
+./hack/generate-standard-manifests.sh --mode release --out "$OUTPUT_DIR"
export IMG_NAME=projects.registry.vmware.com/antrea/octant-antrea-ubuntu
./hack/generate-manifest-octant.sh --mode release > "$OUTPUT_DIR"/antrea-octant.yml
diff --git a/hack/verify-helm.sh b/hack/verify-helm.sh
new file mode 100644
index 00000000000..e9a7fbe8279
--- /dev/null
+++ b/hack/verify-helm.sh
@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+
+# Copyright 2022 Antrea Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+_BINDIR="$THIS_DIR/.bin"
+# Must be an exact match, as the generated YAMLs may not be consistent across
+# versions
+_HELM_VERSION="v3.8.1"
+
+# Ensure the helm tool exists and is the correct version, or install it
+verify_helm() {
+ # Check if there is already a helm binary in $_BINDIR and if yes, check if
+ # the version matches the expected one.
+ local helm="$(PATH=$_BINDIR command -v helm)"
+ if [ -x "$helm" ]; then
+ # Verify version if helm was already installed.
+ local helm_version="$($helm version --short)"
+ # Should work with:
+ # - v3.8.1
+ # - v3.8.1+g5cb9af4
+ helm_version="${helm_version%+*}"
+ if [ "${helm_version}" == "${_HELM_VERSION}" ]; then
+ # If version is exact match, stop here.
+ echo "$helm"
+ return 0
+ fi
+ >&2 echo "Detected helm version ($helm_version) does not match expected one ($_HELM_VERSION), installing correct version"
+ fi
+ local ostype=""
+ if [[ "$OSTYPE" == "linux-gnu" ]]; then
+ ostype="linux"
+ elif [[ "$OSTYPE" == "darwin"* ]]; then
+ ostype="darwin"
+ else
+ >&2 echo "Unsupported OS type $OSTYPE"
+ return 1
+ fi
+ rc=0
+ local unameArch="$(uname -m)" || rc=$?
+ if [ $rc -ne 0 ]; then
+ >&2 echo "Cannot detect architecture type, uname not available?"
+ return 1
+ fi
+ local arch=""
+ case "$unameArch" in
+ x86_64) arch="amd64";;
+ arm64) arch="arm64";;
+ *) >&2 echo "Unsupported architecture type $unameArch"; return 1;;
+ esac
+
+ >&2 echo "Installing helm"
+ local helm_url="https://get.helm.sh/helm-${_HELM_VERSION}-${ostype}-${arch}.tar.gz"
+ curl -sLo helm.tar.gz "${helm_url}" || return 1
+ mkdir -p "$_BINDIR" || return 1
+ tar -xzf helm.tar.gz -C "$_BINDIR" --strip-components=1 "${ostype}-${arch}/helm" || return 1
+ rm -f helm.tar.gz
+ helm="$_BINDIR/helm"
+ echo "$helm"
+ return 0
+}
diff --git a/pkg/config/controller/config.go b/pkg/config/controller/config.go
index d7e08a358a1..643d7e476cb 100644
--- a/pkg/config/controller/config.go
+++ b/pkg/config/controller/config.go
@@ -51,12 +51,10 @@ type ControllerConfig struct {
// Defaults to true.
EnablePrometheusMetrics *bool `yaml:"enablePrometheusMetrics,omitempty"`
// Indicates whether to use auto-generated self-signed TLS certificate.
- // If false, A Secret named "antrea-controller-tls" must be provided with the following keys:
+ // If false, a Secret named "antrea-controller-tls" must be provided with the following keys:
// ca.crt:
// tls.crt:
// tls.key:
- // And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
- // antrea-controller container.
// Defaults to true.
SelfSignedCert *bool `yaml:"selfSignedCert,omitempty"`
// Cipher suites to use.