From 4a3b76cae7e23157ba0eefe851aa10a8e8ccb104 Mon Sep 17 00:00:00 2001 From: Antonin Bas Date: Mon, 18 Apr 2022 18:06:14 -0700 Subject: [PATCH] Add an Helm chart for Antrea (#3578) And use the Helm templates (instead of Kustomize) to generate the standard Antrea YAML manifests (which are checked-in and uploaded as release assets). Standard manifests are generated based on Helm values files located under build/yamls/chart-values/, using a new script (./hack/generate-standard-manifests.sh). It is much faster than the old version. While I believe that using Helm directly and specifying YAML values whenever a new manifest needs to be generated would be better, the ./hack/generate-manifest.sh script is kept as-is, but it now uses Helm instead of Kustomize. Documentation for the Helm chart is autogenerated using helm-docs. In a future PR, we will look into the release process for the Helm chart. After that, Helm charts could be added for Antrea components (Flow Aggregator, Flow visibility). For #2641 Signed-off-by: Antonin Bas --- .github/workflows/go.yml | 9 + Makefile | 10 +- build/charts/Makefile | 6 + build/charts/antrea/.helmignore | 23 + build/charts/antrea/Chart.yaml | 18 + build/charts/antrea/README.md | 106 + .../antrea}/conf/antrea-agent.conf | 114 +- .../antrea}/conf/antrea-cni.conflist | 10 +- .../charts/antrea/conf/antrea-controller.conf | 73 + build/charts/antrea/templates/NOTES.txt | 1 + build/charts/antrea/templates/_helpers.tpl | 9 + .../antrea/templates/agent/clusterrole.yaml} | 22 +- .../templates/agent/clusterrolebinding.yaml | 14 + .../antrea/templates/agent/daemonset.yaml} | 194 +- .../antrea/templates/agent/ipsec-secret.yaml | 13 + .../templates/agent/serviceaccount.yaml | 7 + .../antrea/templates/antctl/clusterrole.yaml} | 25 +- .../templates/antctl/clusterrolebinding.yaml | 14 + .../templates/antctl/serviceaccount.yaml | 7 + .../clusterrolebinding.yaml} | 2 + build/charts/antrea/templates/configmap.yaml | 9 + .../templates/controller/apiservices.yaml | 44 + .../templates/controller/clusterrole.yaml} | 25 +- .../controller/clusterrolebinding.yaml | 14 + .../templates/controller/deployment.yaml | 156 + .../antrea/templates/controller/service.yaml | 15 + .../templates/controller/serviceaccount.yaml | 7 + .../templates/crds-rbac/clusterroles.yaml} | 8 +- .../templates/crds/antreaagentinfo.yaml | 52 + .../templates/crds/antreacontrollerinfo.yaml | 52 + .../antrea/templates/crds/clustergroup.yaml | 263 + .../templates/crds/clusternetworkpolicy.yaml | 541 ++ .../charts/antrea/templates/crds/egress.yaml | 112 + .../antrea/templates/crds/externalentity.yaml | 58 + .../antrea/templates/crds/externalippool.yaml | 103 + .../charts/antrea/templates/crds/ippool.yaml | 109 + .../antrea/templates/crds/networkpolicy.yaml | 444 ++ build/charts/antrea/templates/crds/tier.yaml | 42 + .../antrea/templates/crds/traceflow.yaml | 251 + .../antrea/templates/simulator/configmap.yaml | 11 + .../templates/simulator/statefulset.yaml} | 15 +- .../webhooks/mutating/crdmutator.yaml | 37 + .../webhooks/mutating/labelsmutator.yaml} | 4 + .../webhooks/validating/crdvalidator.yaml | 112 + .../templates/whereabouts/clusterrole.yaml | 22 + .../whereabouts/clusterrolebinding.yaml | 16 + .../antrea/templates/whereabouts/secret.yaml | 12 + .../templates/whereabouts/serviceaccount.yaml | 9 + build/charts/antrea/values.yaml | 266 + build/yamls/antrea-aks.yml | 6589 ++++++++-------- build/yamls/antrea-eks.yml | 6593 ++++++++-------- build/yamls/antrea-gke.yml | 6589 ++++++++-------- build/yamls/antrea-ipsec.yml | 6667 ++++++++--------- build/yamls/antrea.yml | 6586 ++++++++-------- build/yamls/base/conf/antrea-controller.conf | 74 - build/yamls/base/controller.yml | 306 - build/yamls/base/crds.yml | 2018 ----- build/yamls/base/kustomization.yml | 31 - build/yamls/chart-values/antrea-aks.yml | 1 + build/yamls/chart-values/antrea-eks.yml | 7 + build/yamls/chart-values/antrea-gke.yml | 3 + build/yamls/chart-values/antrea-ipsec.yml | 3 + build/yamls/chart-values/antrea.yml | 0 build/yamls/patches/chaining/installCni.yml | 15 - .../yamls/patches/coverage/startAgentCov.yml | 14 - .../patches/coverage/startControllerCov.yml | 11 - .../patches/dev/agentImagePullPolicy.yml | 15 - .../patches/dev/agentIpsecImagePullPolicy.yml | 10 - build/yamls/patches/dev/agentVerboseLog.yml | 11 - .../patches/dev/controllerImagePullPolicy.yml | 10 - .../patches/dev/controllerVerboseLog.yml | 11 - .../patches/dev/onDeleteUpdateStrategy.yml | 7 - build/yamls/patches/eks/eksEnv.yml | 14 - build/yamls/patches/gke/cniPath.yml | 11 - build/yamls/patches/hwoffload/hwOffload.yml | 11 - build/yamls/patches/ipsec/ipsecContainer.yml | 36 - build/yamls/patches/ipsec/ipsecSecret.yml | 10 - build/yamls/patches/ipsec/pskEnv.yml | 16 - .../patches/kustomization.configMap.tpl.yml | 6 - build/yamls/patches/release/.gitignore | 1 - .../patches/simulator/agentNodeAffinity.yml | 16 - .../simulator/controllerNodeAffinity.yml | 16 - build/yamls/patches/sriov/sriov.yml | 17 - .../patches/whereabouts/whereabouts-rbac.yml | 46 - .../yamls/patches/whereabouts/whereabouts.yml | 33 - ci/kind/test-e2e-kind.sh | 4 +- .../.markdownlint-config.yml | 0 hack/.markdownlint-ignore | 6 + hack/generate-manifest.sh | 272 +- hack/generate-standard-manifests.sh | 132 + hack/release/prepare-assets.sh | 6 +- hack/verify-helm.sh | 73 + pkg/config/controller/config.go | 4 +- 93 files changed, 20039 insertions(+), 19748 deletions(-) create mode 100644 build/charts/Makefile create mode 100644 build/charts/antrea/.helmignore create mode 100644 build/charts/antrea/Chart.yaml create mode 100644 build/charts/antrea/README.md rename build/{yamls/base => charts/antrea}/conf/antrea-agent.conf (77%) rename build/{yamls/base => charts/antrea}/conf/antrea-cni.conflist (68%) create mode 100644 build/charts/antrea/conf/antrea-controller.conf create mode 100644 build/charts/antrea/templates/NOTES.txt create mode 100644 build/charts/antrea/templates/_helpers.tpl rename build/{yamls/base/agent-rbac.yml => charts/antrea/templates/agent/clusterrole.yaml} (90%) create mode 100644 build/charts/antrea/templates/agent/clusterrolebinding.yaml rename build/{yamls/base/agent.yml => charts/antrea/templates/agent/daemonset.yaml} (52%) create mode 100644 build/charts/antrea/templates/agent/ipsec-secret.yaml create mode 100644 build/charts/antrea/templates/agent/serviceaccount.yaml rename build/{yamls/base/antctl.yml => charts/antrea/templates/antctl/clusterrole.yaml} (73%) create mode 100644 build/charts/antrea/templates/antctl/clusterrolebinding.yaml create mode 100644 build/charts/antrea/templates/antctl/serviceaccount.yaml rename build/{yamls/base/cluster-identity-reader.yml => charts/antrea/templates/cluster-identity-reader/clusterrolebinding.yaml} (90%) create mode 100644 build/charts/antrea/templates/configmap.yaml create mode 100644 build/charts/antrea/templates/controller/apiservices.yaml rename build/{yamls/base/controller-rbac.yml => charts/antrea/templates/controller/clusterrole.yaml} (92%) create mode 100644 build/charts/antrea/templates/controller/clusterrolebinding.yaml create mode 100644 build/charts/antrea/templates/controller/deployment.yaml create mode 100644 build/charts/antrea/templates/controller/service.yaml create mode 100644 build/charts/antrea/templates/controller/serviceaccount.yaml rename build/{yamls/base/crds-rbac.yml => charts/antrea/templates/crds-rbac/clusterroles.yaml} (96%) create mode 100644 build/charts/antrea/templates/crds/antreaagentinfo.yaml create mode 100644 build/charts/antrea/templates/crds/antreacontrollerinfo.yaml create mode 100644 build/charts/antrea/templates/crds/clustergroup.yaml create mode 100644 build/charts/antrea/templates/crds/clusternetworkpolicy.yaml create mode 100644 build/charts/antrea/templates/crds/egress.yaml create mode 100644 build/charts/antrea/templates/crds/externalentity.yaml create mode 100644 build/charts/antrea/templates/crds/externalippool.yaml create mode 100644 build/charts/antrea/templates/crds/ippool.yaml create mode 100644 build/charts/antrea/templates/crds/networkpolicy.yaml create mode 100644 build/charts/antrea/templates/crds/tier.yaml create mode 100644 build/charts/antrea/templates/crds/traceflow.yaml create mode 100644 build/charts/antrea/templates/simulator/configmap.yaml rename build/{yamls/patches/simulator/antrea-agent-simulator.yml => charts/antrea/templates/simulator/statefulset.yaml} (96%) create mode 100644 build/charts/antrea/templates/webhooks/mutating/crdmutator.yaml rename build/{yamls/patches/admissioncontroller/webhook.yml => charts/antrea/templates/webhooks/mutating/labelsmutator.yaml} (86%) create mode 100644 build/charts/antrea/templates/webhooks/validating/crdvalidator.yaml create mode 100644 build/charts/antrea/templates/whereabouts/clusterrole.yaml create mode 100644 build/charts/antrea/templates/whereabouts/clusterrolebinding.yaml create mode 100644 build/charts/antrea/templates/whereabouts/secret.yaml create mode 100644 build/charts/antrea/templates/whereabouts/serviceaccount.yaml create mode 100644 build/charts/antrea/values.yaml delete mode 100644 build/yamls/base/conf/antrea-controller.conf delete mode 100644 build/yamls/base/controller.yml delete mode 100644 build/yamls/base/crds.yml delete mode 100644 build/yamls/base/kustomization.yml create mode 100644 build/yamls/chart-values/antrea-aks.yml create mode 100644 build/yamls/chart-values/antrea-eks.yml create mode 100644 build/yamls/chart-values/antrea-gke.yml create mode 100644 build/yamls/chart-values/antrea-ipsec.yml create mode 100644 build/yamls/chart-values/antrea.yml delete mode 100644 build/yamls/patches/chaining/installCni.yml delete mode 100644 build/yamls/patches/coverage/startAgentCov.yml delete mode 100644 build/yamls/patches/coverage/startControllerCov.yml delete mode 100644 build/yamls/patches/dev/agentImagePullPolicy.yml delete mode 100644 build/yamls/patches/dev/agentIpsecImagePullPolicy.yml delete mode 100644 build/yamls/patches/dev/agentVerboseLog.yml delete mode 100644 build/yamls/patches/dev/controllerImagePullPolicy.yml delete mode 100644 build/yamls/patches/dev/controllerVerboseLog.yml delete mode 100644 build/yamls/patches/dev/onDeleteUpdateStrategy.yml delete mode 100644 build/yamls/patches/eks/eksEnv.yml delete mode 100644 build/yamls/patches/gke/cniPath.yml delete mode 100644 build/yamls/patches/hwoffload/hwOffload.yml delete mode 100644 build/yamls/patches/ipsec/ipsecContainer.yml delete mode 100644 build/yamls/patches/ipsec/ipsecSecret.yml delete mode 100644 build/yamls/patches/ipsec/pskEnv.yml delete mode 100644 build/yamls/patches/kustomization.configMap.tpl.yml delete mode 100644 build/yamls/patches/release/.gitignore delete mode 100644 build/yamls/patches/simulator/agentNodeAffinity.yml delete mode 100644 build/yamls/patches/simulator/controllerNodeAffinity.yml delete mode 100644 build/yamls/patches/sriov/sriov.yml delete mode 100644 build/yamls/patches/whereabouts/whereabouts-rbac.yml delete mode 100644 build/yamls/patches/whereabouts/whereabouts.yml rename .markdownlint-config.yml => hack/.markdownlint-config.yml (100%) create mode 100644 hack/.markdownlint-ignore create mode 100755 hack/generate-standard-manifests.sh create mode 100644 hack/verify-helm.sh diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 3d06f76d181..d4640d0d2c4 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -224,6 +224,15 @@ jobs: run: | sudo npm install -g markdownlint-cli@0.31.1 make markdownlint + - name: Checking whether autogenerated Helm chart documentation is up-to-date + working-directory: build/charts/ + run: | + make helm-docs + DIFF=$(git diff .) + if [ -n "$DIFF" ]; then + echo "The Helm chart documentation is out-of-date; please run 'make helm-docs' in 'build/charts/' and commit the changes" + exit 1 + fi benchmark: needs: check-changes diff --git a/Makefile b/Makefile index 73f0ed5d634..b307d51b9a4 100644 --- a/Makefile +++ b/Makefile @@ -351,11 +351,7 @@ build-scale-simulator: .PHONY: manifest manifest: @echo "===> Generating dev manifest for Antrea <===" - $(CURDIR)/hack/generate-manifest.sh --mode dev > build/yamls/antrea.yml - $(CURDIR)/hack/generate-manifest.sh --mode dev --ipsec > build/yamls/antrea-ipsec.yml - $(CURDIR)/hack/generate-manifest.sh --mode dev --cloud EKS --encap-mode networkPolicyOnly > build/yamls/antrea-eks.yml - $(CURDIR)/hack/generate-manifest.sh --mode dev --cloud GKE --encap-mode noEncap > build/yamls/antrea-gke.yml - $(CURDIR)/hack/generate-manifest.sh --mode dev --cloud AKS --encap-mode networkPolicyOnly > build/yamls/antrea-aks.yml + $(CURDIR)/hack/generate-standard-manifests.sh --mode dev --out build/yamls $(CURDIR)/hack/generate-manifest-octant.sh --mode dev > build/yamls/antrea-octant.yml $(CURDIR)/hack/generate-manifest-windows.sh --mode dev > build/yamls/antrea-windows.yml $(CURDIR)/hack/generate-manifest-flow-aggregator.sh --mode dev > build/yamls/flow-aggregator.yml @@ -439,12 +435,12 @@ toc: .PHONE: markdownlint markdownlint: @echo "===> Running markdownlint <===" - markdownlint -c .markdownlint-config.yml -i CHANGELOG/ -i CHANGELOG.md -i hack/netpol -i CODE_OF_CONDUCT.md . + markdownlint -c hack/.markdownlint-config.yml -p hack/.markdownlint-ignore . .PHONE: markdownlint-fix markdownlint-fix: @echo "===> Running markdownlint <===" - markdownlint --fix -c .markdownlint-config.yml -i CHANGELOG/ -i CHANGELOG.md -i hack/netpol -i CODE_OF_CONDUCT.md . + markdownlint --fix -c hack/.markdownlint-config.yml -p hack/.markdownlint-ignore . .PHONY: spelling-fix spelling-fix: diff --git a/build/charts/Makefile b/build/charts/Makefile new file mode 100644 index 00000000000..608a7eafa98 --- /dev/null +++ b/build/charts/Makefile @@ -0,0 +1,6 @@ +USERID := $(shell id -u) +GRPID := $(shell id -g) + +.PHONY: helm-docs +helm-docs: + docker run --rm --volume "$(CURDIR):/helm-docs" --user=$(USERID):$(GRPID) jnorwood/helm-docs:v1.7.0 diff --git a/build/charts/antrea/.helmignore b/build/charts/antrea/.helmignore new file mode 100644 index 00000000000..0e8a0eb36f4 --- /dev/null +++ b/build/charts/antrea/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/build/charts/antrea/Chart.yaml b/build/charts/antrea/Chart.yaml new file mode 100644 index 00000000000..d835cf2b082 --- /dev/null +++ b/build/charts/antrea/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +name: antrea +type: application +displayName: Antrea +home: https://antrea.io/ +version: 1.17.0-dev +appVersion: 1.17.0-dev +kubeVersion: ">= 1.16.0-0" +icon: https://raw.githubusercontent.com/antrea-io/antrea/main/docs/assets/logo/antrea_logo.svg +description: Kubernetes networking based on Open vSwitch +keywords: + - Kubernetes + - CNCF + - Networking + - CNI + - Security +sources: + - https://github.com/antrea-io/antrea diff --git a/build/charts/antrea/README.md b/build/charts/antrea/README.md new file mode 100644 index 00000000000..9005e7c0b0d --- /dev/null +++ b/build/charts/antrea/README.md @@ -0,0 +1,106 @@ +# antrea + +![Version: 1.17.0-dev](https://img.shields.io/badge/Version-1.17.0--dev-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.17.0-dev](https://img.shields.io/badge/AppVersion-1.17.0--dev-informational?style=flat-square) + +Kubernetes networking based on Open vSwitch + +**Homepage:** + +## Source Code + +* + +## Requirements + +Kubernetes: `>= 1.16.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| agent.affinity | object | `{}` | Affinity for the antrea-agent Pods. | +| agent.antreaAgent.extraArgs | list | `[]` | Extra command-line arguments for antrea-agent. | +| agent.antreaAgent.extraEnv | object | `{}` | Extra environment variables to be injected into antrea-agent. | +| agent.antreaAgent.extraVolumeMounts | list | `[]` | Additional volumeMounts for the antrea-agent container. | +| agent.antreaAgent.logFileMaxNum | int | `4` | Max number of log files. | +| agent.antreaAgent.logFileMaxSize | int | `100` | Max size in MBs of any single log file. | +| agent.antreaAgent.resources | object | `{"requests":{"cpu":"200m"}}` | Resource requests and limits for the antrea-agent container. | +| agent.antreaIPsec.resources | object | `{"requests":{"cpu":"50m"}}` | Resource requests and limits for the antrea-ipsec container (when IPsec is enabled). | +| agent.antreaOVS.extraArgs | list | `[]` | Extra command-line arguments for antrea-ovs. | +| agent.antreaOVS.logFileMaxNum | int | `4` | Max number of log files. | +| agent.antreaOVS.logFileMaxSize | int | `100` | Max size in MBs of any single log file. | +| agent.antreaOVS.resources | object | `{"requests":{"cpu":"200m"}}` | Resource requests and limits for the antrea-ovs container. | +| agent.apiPort | int | `10350` | Port for the antrea-agent APIServer to serve on. | +| agent.dnsPolicy | string | `"ClusterFirstWithHostNet"` | DNS Policy for the antrea-agent Pods. | +| agent.enablePrometheusMetrics | bool | `true` | Enable metrics exposure via Prometheus. | +| agent.extraVolumes | list | `[]` | Additional volumes for antrea-agent Pods. | +| agent.installCNI.resources | object | `{"requests":{"cpu":"100m"}}` | Resource requests and limits for the install-cni initContainer. | +| agent.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for the antrea-agent Pods. | +| agent.podAnnotations | object | `{}` | Annotations to be added to antrea-agent Pods. | +| agent.podLabels | object | `{}` | Labels to be added to antrea-agent Pods. | +| agent.priorityClassName | string | `"system-node-critical"` | Prority class to use for the antrea-agent Pods. | +| agent.tolerations | list | `[{"key":"CriticalAddonsOnly","operator":"Exists"},{"effect":"NoSchedule","operator":"Exists"},{"effect":"NoExecute","operator":"Exists"}]` | Tolerations for the antrea-agent Pods. | +| agent.updateStrategy | object | `{"type":"RollingUpdate"}` | Update strategy for the antrea-agent DaemonSet. | +| antreaProxy.nodePortAddresses | list | `[]` | String array of values which specifies the host IPv4/IPv6 addresses for NodePort. By default, all host addresses are used. | +| antreaProxy.proxyAll | bool | `false` | Proxy all Service traffic, for all Service types, regardless of where it comes from. | +| antreaProxy.proxyLoadBalancerIPs | bool | `true` | When set to false, AntreaProxy no longer load-balances traffic destined to the External IPs of LoadBalancer Services. | +| antreaProxy.skipServices | list | `[]` | | +| cni.hostBinPath | string | `"/opt/cni/bin"` | Installation path of CNI binaries on the host. | +| cni.plugins | object | `{"bandwidth":true,"portmap":true}` | Chained plugins to use alongside antrea-cni. | +| cni.skipBinaries | list | `[]` | CNI binaries shipped with Antrea for which installation should be skipped. | +| controller.affinity | object | `{}` | Affinity for the antrea-controller Pod. | +| controller.antreaController.extraArgs | list | `[]` | Extra command-line arguments for antrea-controller. | +| controller.antreaController.extraEnv | object | `{}` | Extra environment variables to be injected into antrea-controller. | +| controller.antreaController.logFileMaxNum | int | `4` | Max number of log files. | +| controller.antreaController.logFileMaxSize | int | `100` | Max size in MBs of any single log file. | +| controller.antreaController.resources | object | `{"requests":{"cpu":"200m"}}` | Resource requests and limits for the antrea-controller container. | +| controller.apiPort | int | `10349` | Port for the antrea-controller APIServer to serve on. | +| controller.enablePrometheusMetrics | bool | `true` | Enable metrics exposure via Prometheus. | +| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for the antrea-controller Pod. | +| controller.podAnnotations | object | `{}` | Annotations to be added to antrea-controller Pod. | +| controller.podLabels | object | `{}` | Labels to be added to antrea-controller Pod. | +| controller.priorityClassName | string | `"system-cluster-critical"` | Prority class to use for the antrea-controller Pod. | +| controller.selfSignedCert | bool | `true` | Indicates whether to use auto-generated self-signed TLS certificates. If false, a Secret named "antrea-controller-tls" must be provided with the following keys: ca.crt, tls.crt, tls.key. | +| controller.tolerations | list | `[{"key":"CriticalAddonsOnly","operator":"Exists"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"}]` | Tolerations for the antrea-controller Pod. | +| defaultMTU | int | `0` | Default MTU to use for the host gateway interface and the network interface of each Pod. By default, antrea-agent will discover the MTU of the Node's primary interface and adjust it to accommodate for tunnel encapsulation overhead if applicable. | +| egress.exceptCIDRs | list | `[]` | CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. | +| enableBridgingMode | bool | `false` | Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected to the OVS bridge. | +| featureGates | object | `{}` | To explicitly enable or disable a FeatureGate and bypass the Antrea defaults, add an entry to the dictionary with the FeatureGate's name as the key and a boolean as the value. | +| flowCollector.activeFlowExportTimeout | string | `"5s"` | timeout after which a flow record is sent to the collector for active flows. | +| flowCollector.collectorAddr | string | `"flow-aggregator.flow-aggregator.svc:4739:tls"` | IPFIX collector address as a string with format :[][:]. | +| flowCollector.flowPollInterval | string | `"5s"` | Determines how often the flow exporter polls for new connections. | +| flowCollector.idleFlowExportTimeout | string | `"15s"` | timeout after which a flow record is sent to the collector for idle flows. | +| hostGateway | string | `"antrea-gw0"` | Name of the interface antrea-agent will create and use for host <-> Pod communication. | +| image | object | `{"pullPolicy":"IfNotPresent","repository":"projects.registry.vmware.com/antrea/antrea-ubuntu","tag":"latest"}` | Container image to use for Antrea components. | +| ipsec.psk | string | `"changeme"` | Preshared Key (PSK) for IKE authentication. It will be stored in a secret and passed to antrea-agent as an environment variable. | +| kubeAPIServerOverride | string | `""` | Address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. | +| logVerbosity | int | `0` | | +| multicastInterfaces | list | `[]` | Names of the interfaces on Nodes that are used to forward multicast traffic. | +| noSNAT | bool | `false` | Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. | +| nodeIPAM.clusterCIDRs | list | `[]` | CIDR ranges to use when allocating Pod IP addresses. | +| nodeIPAM.enable | bool | `false` | Enable Node IPAM in Antrea | +| nodeIPAM.nodeCIDRMaskSizeIPv4 | int | `24` | Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. | +| nodeIPAM.nodeCIDRMaskSizeIPv6 | int | `64` | Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. | +| nodeIPAM.serviceCIDR | string | `""` | IPv4 CIDR ranges reserved for Services. | +| nodeIPAM.serviceCIDRv6 | string | `""` | IPv6 CIDR ranges reserved for Services. | +| nodePortLocal.enable | bool | `false` | Enable the NodePortLocal feature. | +| nodePortLocal.portRange | string | `"61000-62000"` | Port range used by NodePortLocal when creating Pod port mappings. | +| ovs.bridgeName | string | `"br-int"` | Name of the OVS bridge antrea-agent will create and use. | +| ovs.hwOffload | bool | `false` | Enable hardware offload for the OVS bridge (required additional configuration). | +| serviceCIDR | string | `""` | IPv4 CIDR range used for Services. Required when AntreaProxy is disabled. | +| serviceCIDRv6 | string | `""` | IPv6 CIDR range used for Services. Required when AntreaProxy is disabled. | +| testing.coverage | bool | `false` | | +| testing.simulator.enable | bool | `false` | | +| tlsCipherSuites | string | `""` | Comma-separated list of cipher suites that will be used by the Antrea APIservers. If empty, the default Go Cipher Suites will be used. See https://golang.org/pkg/crypto/tls/#pkg-constants. | +| tlsMinVersion | string | `""` | TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. | +| trafficEncapMode | string | `"encap"` | Determines how traffic is encapsulated. It must be one of "encap", "noEncap", "hybrid", or "networkPolicyOnly". | +| trafficEncryptionMode | string | `"none"` | Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode.It must be one of "none", "ipsec", "wireGuard". | +| transportInterface | string | `""` | Name of the interface on Node which is used for tunneling or routing the traffic across Nodes. | +| transportInterfaceCIDRs | list | `[]` | Network CIDRs of the interface on Node which is used for tunneling or routing the traffic across Nodes. | +| tunnelType | string | `"geneve"` | Tunnel protocol used for encapsulating traffic across Nodes. It must be one of "geneve", "vxlan", "gre", "stt". | +| webhooks.labelsMutator.enable | bool | `false` | | +| whereabouts.enable | bool | `false` | | +| wireGuard.port | int | `51820` | Port for WireGuard to send and receive traffic. | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/build/yamls/base/conf/antrea-agent.conf b/build/charts/antrea/conf/antrea-agent.conf similarity index 77% rename from build/yamls/base/conf/antrea-agent.conf rename to build/charts/antrea/conf/antrea-agent.conf index 01745c081e1..174ea80888c 100644 --- a/build/yamls/base/conf/antrea-agent.conf +++ b/build/charts/antrea/conf/antrea-agent.conf @@ -3,65 +3,64 @@ featureGates: # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on # Service traffic. -# AntreaProxy: true +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AntreaProxy" "default" true) }} # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, # this flag will not take effect. -# EndpointSlice: false +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "EndpointSlice" "default" false) }} # Enable traceflow which provides packet tracing feature to diagnose network issue. -# Traceflow: true +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Traceflow" "default" true) }} # Enable NodePortLocal feature to make the Pods reachable externally through NodePort -# NodePortLocal: true +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "NodePortLocal" "default" true) }} # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy # feature that supports priorities, rule actions and externalEntities in the future. -# AntreaPolicy: true +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AntreaPolicy" "default" true) }} # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each # agent to a configured collector. -# FlowExporter: false +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "FlowExporter" "default" false) }} # Enable collecting and exposing NetworkPolicy statistics. -# NetworkPolicyStats: true +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "NetworkPolicyStats" "default" true) }} # Enable controlling SNAT IPs of Pod egress traffic. -# Egress: true +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Egress" "default" true) }} # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for # IPAM when configuring secondary network interfaces with Multus. -# AntreaIPAM: false +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AntreaIPAM" "default" false) }} # Enable multicast traffic. This feature is supported only with noEncap mode. -# Multicast: false +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Multicast" "default" false) }} # Enable support for provisioning secondary network interfaces for Pods (using # Pod annotations). At the moment, Antrea can only create secondary network # interfaces using SR-IOV VFs on baremetal Nodes. -# SecondaryNetwork: false +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "SecondaryNetwork" "default" false) }} # Enable managing external IPs of Services of LoadBalancer type. -# ServiceExternalIP: false +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "ServiceExternalIP" "default" false) }} # Name of the OpenVSwitch bridge antrea-agent will create and use. # Make sure it doesn't conflict with your existing OpenVSwitch bridges. -#ovsBridge: br-int +ovsBridge: {{ .Values.ovs.bridgeName | quote }} # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: # - system # - netdev # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run -# OVS in userspace mode (not fully supported yet). Userspace mode requires the tun device driver to -# be available. +# OVS in userspace mode. Userspace mode requires the tun device driver to be available. #ovsDatapathType: system # Name of the interface antrea-agent will create and use for host <--> pod communication. # Make sure it doesn't conflict with your existing interfaces. -#hostGateway: antrea-gw0 +hostGateway: {{ .Values.hostGateway | quote }} # Determines how traffic is encapsulated. It has the following options: # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network @@ -73,14 +72,14 @@ featureGates: # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod # IPAM and connectivity to the primary CNI. # -#trafficEncapMode: encap +trafficEncapMode: {{ .Values.trafficEncapMode | quote }} # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never # performs SNAT and this option will be ignored; for other modes it must be set to false. -#noSNAT: false +noSNAT: {{ .Values.noSNAT }} # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, # this option will not take effect. Supported values: @@ -89,7 +88,7 @@ featureGates: # - gre # - stt # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). -#tunnelType: geneve +tunnelType: {{ .Values.tunnelType | quote }} # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. # It has the following options: @@ -99,7 +98,7 @@ featureGates: # the PSK value must be passed to Antrea Agent through an environment # variable: ANTREA_IPSEC_PSK. # - wireGuard: Enable WireGuard for tunnel traffic encryption. -#trafficEncryptionMode: none +trafficEncryptionMode: {{ .Values.trafficEncryptionMode | quote }} # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are @@ -108,40 +107,47 @@ featureGates: # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. -#enableBridgingMode: false +enableBridgingMode: {{ .Values.enableBridgingMode }} # Default MTU to use for the host gateway interface and the network interface of each Pod. # If omitted, antrea-agent will discover the MTU of the Node's primary interface and # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). -#defaultMTU: 0 +defaultMTU: {{ .Values.defaultMTU }} # wireGuard specifies WireGuard related configurations. wireGuard: -# The port for WireGuard to receive traffic. -# port: 51820 +{{- with .Values.wireGuard }} + # The port for WireGuard to receive traffic. + port: {{ .port }} +{{- end }} egress: -# exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. -# exceptCIDRs: [] +{{- with .Values.egress }} + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: + {{- with .exceptCIDRs }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. -#serviceCIDR: 10.96.0.0/12 +serviceCIDR: {{ .Values.serviceCIDR | quote }} # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. # No default value for this field. -#serviceCIDRv6: +serviceCIDRv6: {{ .Values.serviceCIDRv6 | quote }} # The port for the antrea-agent APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-agent` container must be set to the same value. -#apiPort: 10350 +apiPort: {{ .Values.agent.apiPort }} # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. -#enablePrometheusMetrics: true +enablePrometheusMetrics: {{ .Values.agent.enablePrometheusMetrics }} # Provide the IPFIX collector address as a string with format :[][:]. # HOST can either be the DNS name or the IP of the Flow Collector. For example, @@ -152,50 +158,52 @@ egress: # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and # "udp" protocols. "tls" is used for securing communication between flow exporter and # flow aggregator. -#flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" +flowCollectorAddr: {{ .Values.flowCollector.collectorAddr | quote }} # Provide flow poll interval as a duration string. This determines how often the # flow exporter dumps connections from the conntrack module. Flow poll interval # should be greater than or equal to 1s (one second). # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". -#flowPollInterval: "5s" +flowPollInterval: {{ .Values.flowCollector.flowPollInterval | quote }} # Provide the active flow export timeout, which is the timeout after which a flow # record is sent to the collector for active flows. Thus, for flows with a continuous # stream of packets, a flow record will be exported to the collector once the elapsed # time since the last export event is equal to the value of this timeout. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". -#activeFlowExportTimeout: "30s" +activeFlowExportTimeout: {{ .Values.flowCollector.activeFlowExportTimeout | quote }} # Provide the idle flow export timeout, which is the timeout after which a flow # record is sent to the collector for idle flows. A flow is considered idle if no # packet matching this flow has been observed since the last export event. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". -#idleFlowExportTimeout: "15s" +idleFlowExportTimeout: {{ .Values.flowCollector.idleFlowExportTimeout | quote }} nodePortLocal: +{{- with .Values.nodePortLocal }} # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature # gate is also enabled (which is the default). -# enable: false + enable: {{ .enable }} # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port # from that range will be assigned whenever a Pod's container defines a specific port to be exposed # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic # directed to that port will be forwarded to the Pod. -# portRange: 61000-62000 + portRange: {{ .portRange | quote }} +{{- end }} # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. -#kubeAPIServerOverride: "" +kubeAPIServerOverride: {{ .Values.kubeAPIServerOverride | quote }} # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. -#tlsCipherSuites: +tlsCipherSuites: {{ .Values.tlsCipherSuites | quote }} # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. -#tlsMinVersion: +tlsMinVersion: {{ .Values.tlsMinVersion | quote }} # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. # If there are multiple IP addresses configured on the interface, the first one is used. The IP @@ -204,11 +212,14 @@ nodePortLocal: # 1. transportInterface # 2. transportInterfaceCIDRs # 3. The Node IP -#transportInterface: +transportInterface: {{ .Values.transportInterface | quote }} # The names of the interfaces on Nodes that are used to forward multicast traffic. # Defaults to transport interface if not set. -#multicastInterfaces: [] +multicastInterfaces: +{{- with .Values.multicastInterfaces }} +{{- toYaml . | nindent 2 }} +{{- end }} # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The @@ -217,28 +228,39 @@ nodePortLocal: # 1. transportInterface # 2. transportInterfaceCIDRs # 3. The Node IP -#transportInterfaceCIDRs: [,] +transportInterfaceCIDRs: +{{- with .Values.transportInterfaceCIDRs }} +{{- toYaml . | nindent 2 }} +{{- end }} # Option antreaProxy contains AntreaProxy related configuration options. antreaProxy: +{{- with .Values.antreaProxy }} # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy # feature to be enabled. # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access # apiserver directly. - #proxyAll: false + proxyAll: {{ .proxyAll }} # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. # Note that the option is only valid when proxyAll is true. - #nodePortAddresses: [] + nodePortAddresses: + {{- with .nodePortAddresses }} + {{- toYaml . | nindent 4 }} + {{- end }} # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name # with Namespace (e.g. kube-system/kube-dns) - #skipServices: [] + skipServices: + {{- with .skipServices }} + {{- toYaml . | nindent 4 }} + {{- end }} # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. - #proxyLoadBalancerIPs: true + proxyLoadBalancerIPs: {{ .proxyLoadBalancerIPs }} +{{- end }} diff --git a/build/yamls/base/conf/antrea-cni.conflist b/build/charts/antrea/conf/antrea-cni.conflist similarity index 68% rename from build/yamls/base/conf/antrea-cni.conflist rename to build/charts/antrea/conf/antrea-cni.conflist index 14d84678be0..9047fc33409 100644 --- a/build/yamls/base/conf/antrea-cni.conflist +++ b/build/charts/antrea/conf/antrea-cni.conflist @@ -7,14 +7,20 @@ "ipam": { "type": "host-local" } - }, + } + {{- if .Values.cni.plugins.portmap }} + , { "type": "portmap", "capabilities": {"portMappings": true} - }, + } + {{- end }} + {{- if .Values.cni.plugins.bandwidth }} + , { "type": "bandwidth", "capabilities": {"bandwidth": true} } + {{- end }} ] } diff --git a/build/charts/antrea/conf/antrea-controller.conf b/build/charts/antrea/conf/antrea-controller.conf new file mode 100644 index 00000000000..f54bf5ce864 --- /dev/null +++ b/build/charts/antrea/conf/antrea-controller.conf @@ -0,0 +1,73 @@ +# FeatureGates is a map of feature names to bools that enable or disable experimental features. +featureGates: +# Enable traceflow which provides packet tracing feature to diagnose network issue. +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Traceflow" "default" true) }} + +# Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins +# to define security policies which apply to the entire cluster, and Antrea NetworkPolicy +# feature that supports priorities, rule actions and externalEntities in the future. +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AntreaPolicy" "default" true) }} + +# Enable collecting and exposing NetworkPolicy statistics. +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "NetworkPolicyStats" "default" true) }} + +# Enable controlling SNAT IPs of Pod egress traffic. +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Egress" "default" true) }} + +# Run Kubernetes NodeIPAMController with Antrea. +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "NodeIPAM" "default" false) }} + +# Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the +# bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for +# IPAM when configuring secondary network interfaces with Multus. +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AntreaIPAM" "default" false) }} + +# Enable managing external IPs of Services of LoadBalancer type. +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "ServiceExternalIP" "default" false) }} + +# The port for the antrea-controller APIServer to serve on. +# Note that if it's set to another value, the `containerPort` of the `api` port of the +# `antrea-controller` container must be set to the same value. +apiPort: {{ .Values.controller.apiPort }} + +# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. +enablePrometheusMetrics: {{ .Values.controller.enablePrometheusMetrics }} + +# Indicates whether to use auto-generated self-signed TLS certificate. +# If false, a Secret named "antrea-controller-tls" must be provided with the following keys: +# ca.crt: +# tls.crt: +# tls.key: +selfSignedCert: {{ .Values.controller.selfSignedCert }} + +# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. +# https://golang.org/pkg/crypto/tls/#pkg-constants +# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always +# prefer TLS1.3 Cipher Suites whenever possible. +tlsCipherSuites: {{ .Values.tlsCipherSuites | quote }} + +# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. +tlsMinVersion: {{ .Values.tlsMinVersion | quote }} + +nodeIPAM: +{{- with .Values.nodeIPAM }} + # Enable the integrated Node IPAM controller within the Antrea controller. + enableNodeIPAM: {{ .enable }} + # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. + # Value ignored when enableNodeIPAM is false. + clusterCIDRs: + {{- with .clusterCIDRs }} + {{- toYaml . | nindent 4 }} + {{- end }} + # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + serviceCIDR: {{ .serviceCIDR | quote }} + serviceCIDRv6: {{ .serviceCIDRv6 | quote }} + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + nodeCIDRMaskSizeIPv4: {{ .nodeCIDRMaskSizeIPv4 }} + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + nodeCIDRMaskSizeIPv6: {{ .nodeCIDRMaskSizeIPv6 }} +{{- end }} diff --git a/build/charts/antrea/templates/NOTES.txt b/build/charts/antrea/templates/NOTES.txt new file mode 100644 index 00000000000..40e0d249333 --- /dev/null +++ b/build/charts/antrea/templates/NOTES.txt @@ -0,0 +1 @@ +The Antrea CNI has been successfully installed. diff --git a/build/charts/antrea/templates/_helpers.tpl b/build/charts/antrea/templates/_helpers.tpl new file mode 100644 index 00000000000..0319db13d43 --- /dev/null +++ b/build/charts/antrea/templates/_helpers.tpl @@ -0,0 +1,9 @@ +{{- define "featureGate" -}} +{{- $name := .name }} +{{- $default := .default }} +{{- if hasKey .featureGates $name }} + {{ $name }}: {{ get .featureGates $name }} +{{- else }} + {{ printf "# %s" $name }}: {{ $default }} +{{- end }} +{{- end -}} diff --git a/build/yamls/base/agent-rbac.yml b/build/charts/antrea/templates/agent/clusterrole.yaml similarity index 90% rename from build/yamls/base/agent-rbac.yml rename to build/charts/antrea/templates/agent/clusterrole.yaml index a75b5fc7b5d..ef7e7ea8da5 100644 --- a/build/yamls/base/agent-rbac.yml +++ b/build/charts/antrea/templates/agent/clusterrole.yaml @@ -1,14 +1,9 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: antrea-agent - namespace: kube-system ---- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: antrea-agent + labels: + app: antrea rules: - apiGroups: - "" @@ -190,16 +185,3 @@ rules: - get - list - watch ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: antrea-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antrea-agent -subjects: - - kind: ServiceAccount - name: antrea-agent - namespace: kube-system diff --git a/build/charts/antrea/templates/agent/clusterrolebinding.yaml b/build/charts/antrea/templates/agent/clusterrolebinding.yaml new file mode 100644 index 00000000000..191035981fb --- /dev/null +++ b/build/charts/antrea/templates/agent/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-agent + labels: + app: antrea +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: + - kind: ServiceAccount + name: antrea-agent + namespace: {{ .Release.Namespace }} diff --git a/build/yamls/base/agent.yml b/build/charts/antrea/templates/agent/daemonset.yaml similarity index 52% rename from build/yamls/base/agent.yml rename to build/charts/antrea/templates/agent/daemonset.yaml index 8bc007231d3..5292dce279f 100644 --- a/build/yamls/base/agent.yml +++ b/build/charts/antrea/templates/agent/daemonset.yaml @@ -1,48 +1,79 @@ ---- apiVersion: apps/v1 kind: DaemonSet metadata: name: antrea-agent + namespace: {{ .Release.Namespace }} labels: + app: antrea component: antrea-agent spec: selector: matchLabels: + app: antrea component: antrea-agent - updateStrategy: - type: RollingUpdate + {{- with .Values.agent.updateStrategy }} + updateStrategy: {{- toYaml . | nindent 4 }} + {{- end }} template: metadata: annotations: # Starting with v1.21, Kubernetes supports default container annotation. # Using "kubectl logs/exec/attach/cp" doesn't have to specify "-c antrea-agent" when troubleshooting. kubectl.kubernetes.io/default-container: antrea-agent + # Automatically restart Pods with a RollingUpdate if the ConfigMap changes + # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- if eq .Values.trafficEncryptionMode "ipsec" }} + checksum/ipsec-secret: {{ include (print $.Template.BasePath "/agent/ipsec-secret.yaml") . | sha256sum }} + {{- end }} + {{- with .Values.agent.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} labels: + app: antrea component: antrea-agent + {{- with .Values.agent.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - priorityClassName: system-node-critical - tolerations: - # Mark it as a critical add-on. - - key: CriticalAddonsOnly - operator: Exists - # Make sure it gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Make sure it doesn't get evicted. - - effect: NoExecute - operator: Exists + dnsPolicy: {{ .Values.agent.dnsPolicy }} + priorityClassName: {{ .Values.agent.priorityClassName }} + {{- with .Values.agent.nodeSelector }} nodeSelector: - kubernetes.io/os: linux + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.agent.tolerations }} + tolerations: + {{- toYaml . | trim | nindent 8 }} + {{- end }} + {{- if .Values.testing.simulator.enable }} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: antrea/instance + operator: NotIn + values: + - simulator + {{- else }} + {{- with .Values.agent.affinity }} + affinity: + {{- toYaml . | trim | nindent 8 }} + {{- end }} + {{- end }} serviceAccountName: antrea-agent initContainers: - name: install-cni - image: antrea - resources: - requests: - cpu: "100m" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: {{- .Values.agent.installCNI.resources | toYaml | nindent 12 }} + {{- if eq .Values.trafficEncapMode "networkPolicyOnly" }} + command: ["install_cni_chaining"] + {{- else }} command: ["install_cni"] + {{- end }} securityContext: capabilities: add: @@ -52,7 +83,7 @@ spec: # SKIP_CNI_BINARIES takes in values as a comma separated list of # binaries that need to be skipped for installation, e.g. "portmap, bandwidth". - name: SKIP_CNI_BINARIES - value: "" + value: {{ join "," .Values.cni.skipBinaries | quote }} volumeMounts: - name: antrea-config mountPath: /etc/antrea/antrea-cni.conflist @@ -69,15 +100,43 @@ spec: # For changing the default permissions of the run directory. - name: host-var-run-antrea mountPath: /var/run/antrea - containers: - - name: antrea-agent - image: antrea + {{- if .Values.whereabouts.enable }} + - name: install-whereabouts-config + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" resources: requests: - cpu: "200m" + cpu: "100m" + command: ["install_whereabouts_config"] + volumeMounts: + - name: whereabouts-cni-conf + mountPath: /host/etc/cni/net.d/whereabouts.d + - name: whereabouts-secret + mountPath: /var/run/secrets/whereabouts + {{- end }} + containers: + - name: antrea-agent + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if ((.Values.testing).coverage) }} + command: ["/bin/sh"] + args: ["-c", "sleep 2; antrea-agent-coverage -test.run=TestBincoverRunMain -test.coverprofile=antrea-agent.cov.out -args-file=/agent-arg-file; while true; do sleep 5 & wait $!; done"] + {{- else}} command: ["antrea-agent"] - # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work). - args: ["--config", "/etc/antrea/antrea-agent.conf", "--logtostderr=false", "--log_dir=/var/log/antrea", "--alsologtostderr", "--log_file_max_size=100", "--log_file_max_num=4", "--v=0"] + # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).- + args: + - "--config=/etc/antrea/antrea-agent.conf" + - "--logtostderr=false" + - "--log_dir=/var/log/antrea" + - "--alsologtostderr" + - "--log_file_max_size={{ .Values.agent.antreaAgent.logFileMaxSize }}" + - "--log_file_max_num={{ .Values.agent.antreaAgent.logFileMaxNum }}" + {{- if .Values.logVerbosity }} + - "--v={{ .Values.logVerbosity }}" + {{- end }} + {{- with .Values.agent.antreaAgent.extraArgs }} + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- end}} env: # Provide pod and node information for clusterinformation CRD. - name: POD_NAME @@ -92,6 +151,19 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName + {{- if eq .Values.trafficEncryptionMode "ipsec" }} + # Pre-shared key for IPsec IKE. + - name: ANTREA_IPSEC_PSK + valueFrom: + secretKeyRef: + name: antrea-ipsec + key: psk + {{- end }} + {{- range $k, $v := .Values.agent.antreaAgent.extraEnv }} + - name: {{ $k | quote }} + value: {{ $v | quote }} + {{- end }} + resources: {{- .Values.agent.antreaAgent.resources | toYaml | nindent 12 }} ports: - containerPort: 10350 name: api @@ -155,13 +227,29 @@ spec: mountPropagation: HostToContainer - name: xtables-lock mountPath: /run/xtables.lock + {{- if .Values.whereabouts.enable }} + - name: whereabouts-cni-conf + mountPath: /host/etc/cni/net.d/whereabouts.d + - name: whereabouts-secret + mountPath: /var/run/secrets/whereabouts + {{- end }} + {{- with .Values.agent.antreaAgent.extraVolumeMounts }} + {{- toYaml . | trim | nindent 10 }} + {{- end }} - name: antrea-ovs - image: antrea - resources: - requests: - cpu: "200m" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: {{- .Values.agent.antreaOVS.resources | toYaml | nindent 12 }} command: ["start_ovs"] - args: ["--log_file_max_size=100", "--log_file_max_num=4"] + args: + - "--log_file_max_size={{ .Values.agent.antreaOVS.logFileMaxSize }}" + - "--log_file_max_num={{ .Values.agent.antreaOVS.logFileMaxNum }}" + {{- if .Values.hwOffload }} + - "--hw-offload" + {{- end }} + {{- with .Values.agent.antreaOVS.extraArgs }} + {{- toYaml . | trim | nindent 12 }} + {{- end }} securityContext: # capabilities required by OVS daemons capabilities: @@ -189,6 +277,35 @@ spec: - name: host-var-log-antrea mountPath: /var/log/openvswitch subPath: openvswitch + {{- if eq .Values.trafficEncryptionMode "ipsec" }} + - name: antrea-ipsec + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: {{- .Values.agent.antreaIPsec.resources | toYaml | nindent 12 }} + command: ["start_ovs_ipsec"] + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 5 container_liveness_probe ovs-ipsec + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + capabilities: + add: + - NET_ADMIN + volumeMounts: + - name: host-var-run-antrea + mountPath: /var/run/openvswitch + subPath: openvswitch + - name: host-var-log-antrea + mountPath: /var/log/openvswitch + subPath: openvswitch + - name: host-var-log-antrea + mountPath: /var/log/strongswan + subPath: strongswan + {{- end }} volumes: - name: antrea-config configMap: @@ -198,7 +315,7 @@ spec: path: /etc/cni/net.d - name: host-cni-bin hostPath: - path: /opt/cni/bin + path: {{ .Values.cni.hostBinPath }} - name: host-proc hostPath: path: /proc @@ -223,3 +340,14 @@ spec: hostPath: path: /run/xtables.lock type: FileOrCreate + {{- with .Values.agent.extraVolumes }} + {{- toYaml . | trim | nindent 8 }} + {{- end }} + {{- if .Values.whereabouts.enable }} + - hostPath: + path: /host/etc/cni/net.d/whereabouts.d + name: whereabouts-cni-conf + - name: whereabouts-secret + secret: + secretName: whereabouts-cni-secret + {{- end }} diff --git a/build/charts/antrea/templates/agent/ipsec-secret.yaml b/build/charts/antrea/templates/agent/ipsec-secret.yaml new file mode 100644 index 00000000000..a49848233aa --- /dev/null +++ b/build/charts/antrea/templates/agent/ipsec-secret.yaml @@ -0,0 +1,13 @@ +{{- if eq .Values.trafficEncryptionMode "ipsec" }} +apiVersion: v1 +kind: Secret +metadata: + name: antrea-ipsec + namespace: {{ .Release.Namespace }} + labels: + app: antrea +type: Opaque +stringData: + # Preshared Key used by IKE for authentication with peers. + psk: {{ .Values.ipsec.psk | quote }} +{{- end }} diff --git a/build/charts/antrea/templates/agent/serviceaccount.yaml b/build/charts/antrea/templates/agent/serviceaccount.yaml new file mode 100644 index 00000000000..659b91c8c67 --- /dev/null +++ b/build/charts/antrea/templates/agent/serviceaccount.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-agent + namespace: {{ .Release.Namespace }} + labels: + app: antrea diff --git a/build/yamls/base/antctl.yml b/build/charts/antrea/templates/antctl/clusterrole.yaml similarity index 73% rename from build/yamls/base/antctl.yml rename to build/charts/antrea/templates/antctl/clusterrole.yaml index 6a3764ae560..2b60e193731 100644 --- a/build/yamls/base/antctl.yml +++ b/build/charts/antrea/templates/antctl/clusterrole.yaml @@ -1,14 +1,9 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: antctl - namespace: kube-system ---- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: antctl + labels: + app: antrea rules: - apiGroups: - controlplane.antrea.io @@ -60,19 +55,3 @@ rules: - /featuregates verbs: - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antctl - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antctl -subjects: - - kind: ServiceAccount - name: antctl - namespace: kube-system diff --git a/build/charts/antrea/templates/antctl/clusterrolebinding.yaml b/build/charts/antrea/templates/antctl/clusterrolebinding.yaml new file mode 100644 index 00000000000..3f0a9713920 --- /dev/null +++ b/build/charts/antrea/templates/antctl/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: + - kind: ServiceAccount + name: antctl + namespace: {{ .Release.Namespace }} diff --git a/build/charts/antrea/templates/antctl/serviceaccount.yaml b/build/charts/antrea/templates/antctl/serviceaccount.yaml new file mode 100644 index 00000000000..64e57a4b318 --- /dev/null +++ b/build/charts/antrea/templates/antctl/serviceaccount.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antctl + namespace: {{ .Release.Namespace }} + labels: + app: antrea diff --git a/build/yamls/base/cluster-identity-reader.yml b/build/charts/antrea/templates/cluster-identity-reader/clusterrolebinding.yaml similarity index 90% rename from build/yamls/base/cluster-identity-reader.yml rename to build/charts/antrea/templates/cluster-identity-reader/clusterrolebinding.yaml index d2d93f54859..6b0db36d256 100644 --- a/build/yamls/base/cluster-identity-reader.yml +++ b/build/charts/antrea/templates/cluster-identity-reader/clusterrolebinding.yaml @@ -2,6 +2,8 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: antrea-cluster-identity-reader + labels: + app: antrea rules: - apiGroups: - "" diff --git a/build/charts/antrea/templates/configmap.yaml b/build/charts/antrea/templates/configmap.yaml new file mode 100644 index 00000000000..4d749dec75d --- /dev/null +++ b/build/charts/antrea/templates/configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: antrea-config + namespace: {{ .Release.Namespace }} + labels: + app: antrea +data: +{{ tpl (.Files.Glob "conf/*").AsConfig . | indent 2 | replace " \n" "\n" }} diff --git a/build/charts/antrea/templates/controller/apiservices.yaml b/build/charts/antrea/templates/controller/apiservices.yaml new file mode 100644 index 00000000000..c6b0a531edc --- /dev/null +++ b/build/charts/antrea/templates/controller/apiservices.yaml @@ -0,0 +1,44 @@ +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1beta2.controlplane.antrea.io + labels: + app: antrea +spec: + group: controlplane.antrea.io + groupPriorityMinimum: 100 + version: v1beta2 + versionPriority: 100 + service: + name: antrea + namespace: {{ .Release.Namespace }} +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1beta1.system.antrea.io + labels: + app: antrea +spec: + group: system.antrea.io + groupPriorityMinimum: 100 + version: v1beta1 + versionPriority: 100 + service: + name: antrea + namespace: {{ .Release.Namespace }} +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.stats.antrea.io + labels: + app: antrea +spec: + group: stats.antrea.io + groupPriorityMinimum: 100 + version: v1alpha1 + versionPriority: 100 + service: + name: antrea + namespace: {{ .Release.Namespace }} diff --git a/build/yamls/base/controller-rbac.yml b/build/charts/antrea/templates/controller/clusterrole.yaml similarity index 92% rename from build/yamls/base/controller-rbac.yml rename to build/charts/antrea/templates/controller/clusterrole.yaml index 1952ea3bc6d..2a5f043af35 100644 --- a/build/yamls/base/controller-rbac.yml +++ b/build/charts/antrea/templates/controller/clusterrole.yaml @@ -1,14 +1,9 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: antrea-controller - namespace: kube-system ---- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: antrea-controller + labels: + app: antrea rules: - apiGroups: - "" @@ -124,6 +119,9 @@ rules: - mutatingwebhookconfigurations - validatingwebhookconfigurations resourceNames: + # always give permissions for labelsmutator.antrea.io, even when the + # feature is disabled, to avoid errors in antrea-controller when updating + # the CA cert. - labelsmutator.antrea.io - crdmutator.antrea.io - crdvalidator.antrea.io @@ -244,16 +242,3 @@ rules: - get - list - watch ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: antrea-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antrea-controller -subjects: - - kind: ServiceAccount - name: antrea-controller - namespace: kube-system diff --git a/build/charts/antrea/templates/controller/clusterrolebinding.yaml b/build/charts/antrea/templates/controller/clusterrolebinding.yaml new file mode 100644 index 00000000000..010461d471e --- /dev/null +++ b/build/charts/antrea/templates/controller/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-controller + labels: + app: antrea +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: + - kind: ServiceAccount + name: antrea-controller + namespace: {{ .Release.Namespace }} diff --git a/build/charts/antrea/templates/controller/deployment.yaml b/build/charts/antrea/templates/controller/deployment.yaml new file mode 100644 index 00000000000..8f00801da97 --- /dev/null +++ b/build/charts/antrea/templates/controller/deployment.yaml @@ -0,0 +1,156 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: antrea-controller + namespace: {{ .Release.Namespace }} + labels: + app: antrea + component: antrea-controller +spec: + strategy: + # Ensure the existing Pod is stopped before the new one is created. + type: Recreate + selector: + matchLabels: + app: antrea + component: antrea-controller + replicas: 1 + template: + metadata: + annotations: + # Automatically restart Pod if the ConfigMap changes + # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.controller.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app: antrea + component: antrea-controller + {{- with .Values.controller.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + hostNetwork: true + priorityClassName: {{ .Values.controller.priorityClassName }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | trim | nindent 8 }} + {{- end }} + {{- if .Values.testing.simulator.enable }} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: antrea/instance + operator: NotIn + values: + - simulator + {{- else }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | trim | nindent 8 }} + {{- end }} + {{- end }} + serviceAccountName: antrea-controller + containers: + - name: antrea-controller + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: {{- .Values.controller.antreaController.resources | toYaml | nindent 12 }} + {{- if ((.Values.testing).coverage) }} + command: ["/bin/sh"] + args: ["-c", "antrea-controller-coverage -test.run=TestBincoverRunMain -test.coverprofile=antrea-controller.cov.out -args-file=/controller-arg-file; while true; do sleep 5 & wait $!; done"] + {{- else }} + command: ["antrea-controller"] + # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work). + args: + - "--config=/etc/antrea/antrea-controller.conf" + - "--logtostderr=false" + - "--log_dir=/var/log/antrea" + - "--alsologtostderr" + - "--log_file_max_size={{ .Values.controller.antreaController.logFileMaxSize }}" + - "--log_file_max_num={{ .Values.controller.antreaController.logFileMaxNum }}" + {{- if .Values.logVerbosity }} + - "--v={{ .Values.logVerbosity }}" + {{- end }} + {{- with .Values.controller.antreaController.extraArgs }} + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- end }} + env: + # Provide pod and node information for clusterinformation CRD. + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # Provide ServiceAccount name for validation webhook. + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ANTREA_CONFIG_MAP_NAME + value: antrea-config + {{- range $k, $v := .Values.controller.antreaController.extraEnv }} + - name: {{ $k | quote }} + value: {{ $v | quote }} + {{- end }} + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + livenessProbe: + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + volumeMounts: + - name: antrea-config + mountPath: /etc/antrea/antrea-controller.conf + subPath: antrea-controller.conf + readOnly: true + - name: antrea-controller-tls + mountPath: /var/run/antrea/antrea-controller-tls + - name: host-var-log-antrea + mountPath: /var/log/antrea + volumes: + - name: antrea-config + configMap: + name: antrea-config + # Make it optional as we only read it when selfSignedCert=false. + - name: antrea-controller-tls + secret: + secretName: antrea-controller-tls + defaultMode: 0400 + optional: true + - name: host-var-log-antrea + hostPath: + path: /var/log/antrea + type: DirectoryOrCreate diff --git a/build/charts/antrea/templates/controller/service.yaml b/build/charts/antrea/templates/controller/service.yaml new file mode 100644 index 00000000000..118f183f488 --- /dev/null +++ b/build/charts/antrea/templates/controller/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: antrea + namespace: {{ .Release.Namespace }} + labels: + app: antrea +spec: + ports: + - port: 443 + protocol: TCP + targetPort: api + selector: + app: antrea + component: antrea-controller diff --git a/build/charts/antrea/templates/controller/serviceaccount.yaml b/build/charts/antrea/templates/controller/serviceaccount.yaml new file mode 100644 index 00000000000..94046c25030 --- /dev/null +++ b/build/charts/antrea/templates/controller/serviceaccount.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-controller + namespace: {{ .Release.Namespace }} + labels: + app: antrea diff --git a/build/yamls/base/crds-rbac.yml b/build/charts/antrea/templates/crds-rbac/clusterroles.yaml similarity index 96% rename from build/yamls/base/crds-rbac.yml rename to build/charts/antrea/templates/crds-rbac/clusterroles.yaml index 3ddc3ac9167..e076228450b 100644 --- a/build/yamls/base/crds-rbac.yml +++ b/build/charts/antrea/templates/crds-rbac/clusterroles.yaml @@ -1,9 +1,9 @@ ---- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aggregate-antrea-policies-edit labels: + app: antrea # Add these permissions to the "admin" and "edit" default roles. rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -17,6 +17,7 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: aggregate-antrea-policies-view labels: + app: antrea # Add these permissions to the "view" default role. rbac.authorization.k8s.io/aggregate-to-view: "true" rules: @@ -29,6 +30,7 @@ kind: ClusterRole metadata: name: aggregate-traceflows-edit labels: + app: antrea # Add these permissions to the "admin" and "edit" default roles. rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -42,6 +44,7 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: aggregate-traceflows-view labels: + app: antrea # Add these permissions to the "view" default role. rbac.authorization.k8s.io/aggregate-to-view: "true" rules: @@ -54,6 +57,7 @@ kind: ClusterRole metadata: name: aggregate-antrea-clustergroups-edit labels: + app: antrea # Add these permissions to the "admin" and "edit" default roles. rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -67,10 +71,10 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: aggregate-antrea-clustergroups-view labels: + app: antrea # Add these permissions to the "view" default role. rbac.authorization.k8s.io/aggregate-to-view: "true" rules: - apiGroups: ["crd.antrea.io"] resources: ["clustergroups"] verbs: ["get", "list", "watch"] ---- diff --git a/build/charts/antrea/templates/crds/antreaagentinfo.yaml b/build/charts/antrea/templates/crds/antreaagentinfo.yaml new file mode 100644 index 00000000000..e81509d2ce1 --- /dev/null +++ b/build/charts/antrea/templates/crds/antreaagentinfo.yaml @@ -0,0 +1,52 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: antreaagentinfos.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai diff --git a/build/charts/antrea/templates/crds/antreacontrollerinfo.yaml b/build/charts/antrea/templates/crds/antreacontrollerinfo.yaml new file mode 100644 index 00000000000..d3cc473c5f2 --- /dev/null +++ b/build/charts/antrea/templates/crds/antreacontrollerinfo.yaml @@ -0,0 +1,52 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: antreacontrollerinfos.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci diff --git a/build/charts/antrea/templates/crds/clustergroup.yaml b/build/charts/antrea/templates/crds/clustergroup.yaml new file mode 100644 index 00000000000..8989b1ce9b0 --- /dev/null +++ b/build/charts/antrea/templates/crds/clustergroup.yaml @@ -0,0 +1,263 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clustergroups.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + - name: v1alpha3 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: "antrea" + namespace: "kube-system" + path: "/convert/clustergroup" + scope: Cluster + names: + plural: clustergroups + singular: clustergroup + kind: ClusterGroup + shortNames: + - cg diff --git a/build/charts/antrea/templates/crds/clusternetworkpolicy.yaml b/build/charts/antrea/templates/crds/clusternetworkpolicy.yaml new file mode 100644 index 00000000000..b2a654a391f --- /dev/null +++ b/build/charts/antrea/templates/crds/clusternetworkpolicy.yaml @@ -0,0 +1,541 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusternetworkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this ClusterNetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + fqdn: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + toServices: + type: array + items: + type: object + required: + - name + - namespace + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + scope: Cluster + names: + plural: clusternetworkpolicies + singular: clusternetworkpolicy + kind: ClusterNetworkPolicy + shortNames: + - acnp diff --git a/build/charts/antrea/templates/crds/egress.yaml b/build/charts/antrea/templates/crds/egress.yaml new file mode 100644 index 00000000000..bcdfea97652 --- /dev/null +++ b/build/charts/antrea/templates/crds/egress.yaml @@ -0,0 +1,112 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: egresses.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - appliedTo + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + egressIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + externalIPPool: + type: string + status: + type: object + properties: + egressNode: + type: string + additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + subresources: + status: {} + scope: Cluster + names: + plural: egresses + singular: egress + kind: Egress + shortNames: + - eg diff --git a/build/charts/antrea/templates/crds/externalentity.yaml b/build/charts/antrea/templates/crds/externalentity.yaml new file mode 100644 index 00000000000..bfa251ebe57 --- /dev/null +++ b/build/charts/antrea/templates/crds/externalentity.yaml @@ -0,0 +1,58 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalentities.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + endpoints: + type: array + items: + type: object + properties: + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + name: + type: string + externalNode: + type: string + - name: v1alpha1 + served: false + storage: false + schema: + openAPIV3Schema: + type: object + scope: Namespaced + names: + plural: externalentities + singular: externalentity + kind: ExternalEntity + shortNames: + - ee diff --git a/build/charts/antrea/templates/crds/externalippool.yaml b/build/charts/antrea/templates/crds/externalippool.yaml new file mode 100644 index 00000000000..080c0c620c0 --- /dev/null +++ b/build/charts/antrea/templates/crds/externalippool.yaml @@ -0,0 +1,103 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + scope: Cluster + names: + plural: externalippools + singular: externalippool + kind: ExternalIPPool + shortNames: + - eip diff --git a/build/charts/antrea/templates/crds/ippool.yaml b/build/charts/antrea/templates/crds/ippool.yaml new file mode 100644 index 00000000000..32529c81e51 --- /dev/null +++ b/build/charts/antrea/templates/crds/ippool.yaml @@ -0,0 +1,109 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + required: + - ipVersion + - ipRanges + type: object + properties: + ipVersion: + type: integer + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + vlan: + type: integer + minimum: 0 + maximum: 4094 + type: object + type: array + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + name: + type: string + namespace: + type: string + containerID: + type: string + ifName: + type: string + type: object + statefulSet: + properties: + name: + type: string + namespace: + type: string + index: + type: integer + type: object + type: object + phase: + type: string + type: object + type: array + type: object + subresources: + status: {} + scope: Cluster + names: + plural: ippools + singular: ippool + kind: IPPool + shortNames: + - ipp diff --git a/build/charts/antrea/templates/crds/networkpolicy.yaml b/build/charts/antrea/templates/crds/networkpolicy.yaml new file mode 100644 index 00000000000..6cdeb5aa50b --- /dev/null +++ b/build/charts/antrea/templates/crds/networkpolicy.yaml @@ -0,0 +1,444 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this Antrea NetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + fqdn: + type: string + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + toServices: + type: array + items: + type: object + required: + - name + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + scope: Namespaced + names: + plural: networkpolicies + singular: networkpolicy + kind: NetworkPolicy + shortNames: + - anp diff --git a/build/charts/antrea/templates/crds/tier.yaml b/build/charts/antrea/templates/crds/tier.yaml new file mode 100644 index 00000000000..1ee1a1ce5fe --- /dev/null +++ b/build/charts/antrea/templates/crds/tier.yaml @@ -0,0 +1,42 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tiers.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Priority + type: integer + description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + required: + - priority + type: object + properties: + priority: + type: integer + minimum: 0 + maximum: 255 + description: + type: string + scope: Cluster + names: + plural: tiers + singular: tier + kind: Tier + shortNames: + - tr diff --git a/build/charts/antrea/templates/crds/traceflow.yaml b/build/charts/antrea/templates/crds/traceflow.yaml new file mode 100644 index 00000000000..45d00fbb275 --- /dev/null +++ b/build/charts/antrea/templates/crds/traceflow.yaml @@ -0,0 +1,251 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: traceflows.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.phase + description: The phase of the Traceflow. + name: Phase + type: string + - jsonPath: .spec.source.pod + description: The name of the source Pod. + name: Source-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.pod + description: The name of the destination Pod. + name: Destination-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.ip + description: The IP address of the destination. + name: Destination-IP + type: string + priority: 10 + - jsonPath: .spec.liveTraffic + description: Trace live traffic. + name: Live-Traffic + type: boolean + priority: 10 + - jsonPath: .spec.droppedOnly + description: Capture only the dropped packet. + name: Dropped-Only + type: boolean + priority: 10 + - jsonPath: .spec.timeout + description: Timeout in seconds. + name: Timeout + type: integer + priority: 10 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + properties: + source: + type: object + properties: + pod: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + destination: + type: object + properties: + pod: + type: string + service: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + packet: + type: object + properties: + ipHeader: + type: object + properties: + srcIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + protocol: + type: integer + ttl: + type: integer + flags: + type: integer + ipv6Header: + type: object + properties: + srcIP: + type: string + format: ipv6 + nextHeader: + type: integer + hopLimit: + type: integer + transportHeader: + type: object + properties: + icmp: + type: object + properties: + id: + type: integer + sequence: + type: integer + udp: + type: object + properties: + srcPort: + type: integer + dstPort: + type: integer + tcp: + type: object + properties: + srcPort: + type: integer + dstPort: + type: integer + flags: + type: integer + liveTraffic: + type: boolean + droppedOnly: + type: boolean + timeout: + type: integer + status: + type: object + properties: + reason: + type: string + dataplaneTag: + type: integer + phase: + type: string + startTime: + type: string + results: + type: array + items: + type: object + properties: + node: + type: string + role: + type: string + timestamp: + type: integer + observations: + type: array + items: + type: object + properties: + component: + type: string + componentInfo: + type: string + action: + type: string + pod: + type: string + dstMAC: + type: string + networkPolicy: + type: string + ttl: + type: integer + translatedSrcIP: + type: string + translatedDstIP: + type: string + tunnelDstIP: + type: string + capturedPacket: + properties: + srcIP: + type: string + dstIP: + type: string + length: + type: integer + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + transportHeader: + properties: + tcp: + properties: + dstPort: + type: integer + srcPort: + type: integer + flags: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + type: object + type: object + subresources: + status: {} + scope: Cluster + names: + plural: traceflows + singular: traceflow + kind: Traceflow + shortNames: + - tf diff --git a/build/charts/antrea/templates/simulator/configmap.yaml b/build/charts/antrea/templates/simulator/configmap.yaml new file mode 100644 index 00000000000..b4f4010ea83 --- /dev/null +++ b/build/charts/antrea/templates/simulator/configmap.yaml @@ -0,0 +1,11 @@ +{{- if .Values.testing.simulator.enable }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: node-configmap + namespace: {{ .Release.Namespace }} + labels: + app: antrea +data: + content.type: test-cluster +{{- end }} diff --git a/build/yamls/patches/simulator/antrea-agent-simulator.yml b/build/charts/antrea/templates/simulator/statefulset.yaml similarity index 96% rename from build/yamls/patches/simulator/antrea-agent-simulator.yml rename to build/charts/antrea/templates/simulator/statefulset.yaml index d66b83f904c..3b88accb1bb 100644 --- a/build/yamls/patches/simulator/antrea-agent-simulator.yml +++ b/build/charts/antrea/templates/simulator/statefulset.yaml @@ -1,17 +1,11 @@ ---- -apiVersion: v1 -data: - content.type: test-cluster -kind: ConfigMap -metadata: - name: node-configmap - namespace: kube-system ---- +{{- if .Values.testing.simulator.enable }} apiVersion: apps/v1 kind: StatefulSet metadata: name: antrea-agent-simulator - namespace: kube-system + namespace: {{ .Release.Namespace }} + labels: + app: antrea spec: podManagementPolicy: Parallel replicas: 1 @@ -151,3 +145,4 @@ spec: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists +{{- end }} diff --git a/build/charts/antrea/templates/webhooks/mutating/crdmutator.yaml b/build/charts/antrea/templates/webhooks/mutating/crdmutator.yaml new file mode 100644 index 00000000000..f87e33111de --- /dev/null +++ b/build/charts/antrea/templates/webhooks/mutating/crdmutator.yaml @@ -0,0 +1,37 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: "crdmutator.antrea.io" + labels: + app: antrea +webhooks: + - name: "acnpmutator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: {{ .Release.Namespace }} + path: "/mutate/acnp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["clusternetworkpolicies"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "anpmutator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: {{ .Release.Namespace }} + path: "/mutate/anp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["networkpolicies"] + scope: "Namespaced" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 diff --git a/build/yamls/patches/admissioncontroller/webhook.yml b/build/charts/antrea/templates/webhooks/mutating/labelsmutator.yaml similarity index 86% rename from build/yamls/patches/admissioncontroller/webhook.yml rename to build/charts/antrea/templates/webhooks/mutating/labelsmutator.yaml index b36ac0edeb1..f87a49e30db 100644 --- a/build/yamls/patches/admissioncontroller/webhook.yml +++ b/build/charts/antrea/templates/webhooks/mutating/labelsmutator.yaml @@ -1,7 +1,10 @@ +{{- if .Values.webhooks.labelsMutator.enable }} apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: "labelsmutator.antrea.io" + labels: + app: antrea webhooks: - name: "namelabelmutator.antrea.io" clientConfig: @@ -18,3 +21,4 @@ webhooks: admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 +{{- end }} diff --git a/build/charts/antrea/templates/webhooks/validating/crdvalidator.yaml b/build/charts/antrea/templates/webhooks/validating/crdvalidator.yaml new file mode 100644 index 00000000000..6cd661c3eeb --- /dev/null +++ b/build/charts/antrea/templates/webhooks/validating/crdvalidator.yaml @@ -0,0 +1,112 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: "crdvalidator.antrea.io" + labels: + app: antrea +webhooks: + - name: "tiervalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: {{ .Release.Namespace }} + path: "/validate/tier" + rules: + - operations: ["CREATE", "UPDATE", "DELETE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["tiers"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "acnpvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: {{ .Release.Namespace }} + path: "/validate/acnp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["clusternetworkpolicies"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "anpvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: {{ .Release.Namespace }} + path: "/validate/anp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["networkpolicies"] + scope: "Namespaced" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "clustergroupvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: {{ .Release.Namespace }} + path: "/validate/clustergroup" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha3", "v1alpha2"] + resources: ["clustergroups"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "externalippoolvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: {{ .Release.Namespace }} + path: "/validate/externalippool" + rules: + - operations: ["UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["externalippools"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "egressvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: {{ .Release.Namespace }} + path: "/validate/egress" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["egresses"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "ippoolvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: {{ .Release.Namespace }} + path: "/validate/ippool" + rules: + - operations: ["CREATE", "UPDATE", "DELETE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["ippools"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 diff --git a/build/charts/antrea/templates/whereabouts/clusterrole.yaml b/build/charts/antrea/templates/whereabouts/clusterrole.yaml new file mode 100644 index 00000000000..c7af5821866 --- /dev/null +++ b/build/charts/antrea/templates/whereabouts/clusterrole.yaml @@ -0,0 +1,22 @@ +{{- if .Values.whereabouts.enable }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-agent-whereabouts + labels: + app: antrea +rules: + - apiGroups: + - whereabouts.cni.cncf.io + resources: + - ippools + verbs: + - get + - put + - watch + - list + - update + - patch + - create + - delete +{{- end }} diff --git a/build/charts/antrea/templates/whereabouts/clusterrolebinding.yaml b/build/charts/antrea/templates/whereabouts/clusterrolebinding.yaml new file mode 100644 index 00000000000..5961902f8ff --- /dev/null +++ b/build/charts/antrea/templates/whereabouts/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.whereabouts.enable }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-agent-whereabouts + labels: + app: antrea +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent-whereabouts +subjects: + - kind: ServiceAccount + name: antrea-agent-whereabouts + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/build/charts/antrea/templates/whereabouts/secret.yaml b/build/charts/antrea/templates/whereabouts/secret.yaml new file mode 100644 index 00000000000..fba1efd9058 --- /dev/null +++ b/build/charts/antrea/templates/whereabouts/secret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.whereabouts.enable }} +apiVersion: v1 +kind: Secret +metadata: + name: whereabouts-cni-secret + namespace: {{ .Release.Namespace }} + annotations: + kubernetes.io/service-account.name: antrea-agent-whereabouts + labels: + app: antrea +type: kubernetes.io/service-account-token +{{- end }} diff --git a/build/charts/antrea/templates/whereabouts/serviceaccount.yaml b/build/charts/antrea/templates/whereabouts/serviceaccount.yaml new file mode 100644 index 00000000000..9129cf25470 --- /dev/null +++ b/build/charts/antrea/templates/whereabouts/serviceaccount.yaml @@ -0,0 +1,9 @@ +{{- if .Values.whereabouts.enable }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-agent-whereabouts + namespace: {{ .Release.Namespace }} + labels: + app: antrea +{{- end }} diff --git a/build/charts/antrea/values.yaml b/build/charts/antrea/values.yaml new file mode 100644 index 00000000000..8a587f202b3 --- /dev/null +++ b/build/charts/antrea/values.yaml @@ -0,0 +1,266 @@ +# -- Container image to use for Antrea components. +image: + repository: "projects.registry.vmware.com/antrea/antrea-ubuntu" + pullPolicy: "IfNotPresent" + tag: "latest" + +# -- Determines how traffic is encapsulated. It must be one of "encap", +# "noEncap", "hybrid", or "networkPolicyOnly". +trafficEncapMode: "encap" +# -- Tunnel protocol used for encapsulating traffic across Nodes. It must be one +# of "geneve", "vxlan", "gre", "stt". +tunnelType: "geneve" +# -- Determines how tunnel traffic is encrypted. Currently encryption only works +# with encap mode.It must be one of "none", "ipsec", "wireGuard". +trafficEncryptionMode: "none" +# -- Enable bridging mode of Pod network on Nodes, in which the Node's transport +# interface is connected to the OVS bridge. +enableBridgingMode: false +# -- Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to +# the external network. +noSNAT: false +# -- Name of the interface antrea-agent will create and use for host <-> Pod +# communication. +hostGateway: "antrea-gw0" +# -- Name of the interface on Node which is used for tunneling or routing the +# traffic across Nodes. +transportInterface: "" +# -- Network CIDRs of the interface on Node which is used for tunneling or +# routing the traffic across Nodes. +transportInterfaceCIDRs: [] +# -- Names of the interfaces on Nodes that are used to forward multicast traffic. +multicastInterfaces: [] +# -- Default MTU to use for the host gateway interface and the network interface +# of each Pod. By default, antrea-agent will discover the MTU of the Node's +# primary interface and adjust it to accommodate for tunnel encapsulation +# overhead if applicable. +defaultMTU: 0 + +ovs: + # -- Name of the OVS bridge antrea-agent will create and use. + bridgeName: "br-int" + # -- Enable hardware offload for the OVS bridge (required additional + # configuration). + hwOffload: false + +wireGuard: + # -- Port for WireGuard to send and receive traffic. + port: 51820 + +ipsec: + # -- Preshared Key (PSK) for IKE authentication. It will be stored in a secret + # and passed to antrea-agent as an environment variable. + psk: "changeme" + +egress: + # -- CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: [] + +nodePortLocal: + # -- Enable the NodePortLocal feature. + enable: false + # -- Port range used by NodePortLocal when creating Pod port mappings. + portRange: "61000-62000" + +antreaProxy: + # -- Proxy all Service traffic, for all Service types, regardless of where it + # comes from. + proxyAll: false + # -- String array of values which specifies the host IPv4/IPv6 addresses for + # NodePort. By default, all host addresses are used. + nodePortAddresses: [] + ## -- List of Services which should be ignored by AntreaProxy. + skipServices: [] + # -- When set to false, AntreaProxy no longer load-balances traffic destined + # to the External IPs of LoadBalancer Services. + proxyLoadBalancerIPs: true + +nodeIPAM: + # -- Enable Node IPAM in Antrea + enable: false + # -- CIDR ranges to use when allocating Pod IP addresses. + clusterCIDRs: [] + # -- IPv4 CIDR ranges reserved for Services. + serviceCIDR: "" + # -- IPv6 CIDR ranges reserved for Services. + serviceCIDRv6: "" + # -- Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. + nodeCIDRMaskSizeIPv4: 24 + # -- Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. + nodeCIDRMaskSizeIPv6: 64 + +# -- Address of Kubernetes apiserver, to override any value provided in +# kubeconfig or InClusterConfig. +kubeAPIServerOverride: "" +# -- IPv4 CIDR range used for Services. Required when AntreaProxy is disabled. +serviceCIDR: "" +# -- IPv6 CIDR range used for Services. Required when AntreaProxy is disabled. +serviceCIDRv6: "" + +# -- Comma-separated list of cipher suites that will be used by the Antrea +# APIservers. If empty, the default Go Cipher Suites will be used. See +# https://golang.org/pkg/crypto/tls/#pkg-constants. +tlsCipherSuites: "" +# -- TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, +# VersionTLS13. +tlsMinVersion: "" + +# -- To explicitly enable or disable a FeatureGate and bypass the Antrea +# defaults, add an entry to the dictionary with the FeatureGate's name as the +# key and a boolean as the value. +featureGates: {} + +agent: + # -- Port for the antrea-agent APIServer to serve on. + apiPort: 10350 + # -- Enable metrics exposure via Prometheus. + enablePrometheusMetrics: true + # -- Annotations to be added to antrea-agent Pods. + podAnnotations: {} + # -- Labels to be added to antrea-agent Pods. + podLabels: {} + # -- Tolerations for the antrea-agent Pods. + tolerations: + # Mark it as a critical add-on. + - key: CriticalAddonsOnly + operator: Exists + # Make sure it gets scheduled on all Nodes. + - effect: NoSchedule + operator: Exists + # Make sure it doesn't get evicted. + - effect: NoExecute + operator: Exists + # -- Node selector for the antrea-agent Pods. + nodeSelector: + kubernetes.io/os: linux + # -- Prority class to use for the antrea-agent Pods. + priorityClassName: "system-node-critical" + # -- Affinity for the antrea-agent Pods. + affinity: {} + # -- DNS Policy for the antrea-agent Pods. + dnsPolicy: "ClusterFirstWithHostNet" + # -- Update strategy for the antrea-agent DaemonSet. + updateStrategy: + type: RollingUpdate + # -- Additional volumes for antrea-agent Pods. + extraVolumes: [] + installCNI: + # -- Resource requests and limits for the install-cni initContainer. + resources: + requests: + cpu: "100m" + antreaAgent: + # -- Extra environment variables to be injected into antrea-agent. + extraEnv: {} + # -- Max size in MBs of any single log file. + logFileMaxSize: 100 + # -- Max number of log files. + logFileMaxNum: 4 + # -- Extra command-line arguments for antrea-agent. + extraArgs: [] + # -- Additional volumeMounts for the antrea-agent container. + extraVolumeMounts: [] + # -- Resource requests and limits for the antrea-agent container. + resources: + requests: + cpu: "200m" + antreaOVS: + # -- Max size in MBs of any single log file. + logFileMaxSize: 100 + # -- Max number of log files. + logFileMaxNum: 4 + # -- Extra command-line arguments for antrea-ovs. + extraArgs: [] + # -- Resource requests and limits for the antrea-ovs container. + resources: + requests: + cpu: "200m" + antreaIPsec: + # -- Resource requests and limits for the antrea-ipsec container (when IPsec + # is enabled). + resources: + requests: + cpu: "50m" + +controller: + # -- Port for the antrea-controller APIServer to serve on. + apiPort: 10349 + # -- Enable metrics exposure via Prometheus. + enablePrometheusMetrics: true + # -- Annotations to be added to antrea-controller Pod. + podAnnotations: {} + # -- Labels to be added to antrea-controller Pod. + podLabels: {} + # -- Indicates whether to use auto-generated self-signed TLS certificates. If + # false, a Secret named "antrea-controller-tls" must be provided with the + # following keys: ca.crt, tls.crt, tls.key. + selfSignedCert: true + # -- Tolerations for the antrea-controller Pod. + tolerations: + # Mark it as a critical add-on. + - key: CriticalAddonsOnly + operator: Exists + # Allow it to schedule onto master nodes. + - key: node-role.kubernetes.io/master + effect: NoSchedule + # -- Node selector for the antrea-controller Pod. + nodeSelector: + kubernetes.io/os: linux + # -- Prority class to use for the antrea-controller Pod. + priorityClassName: "system-cluster-critical" + # -- Affinity for the antrea-controller Pod. + affinity: {} + antreaController: + # -- Extra environment variables to be injected into antrea-controller. + extraEnv: {} + # -- Max size in MBs of any single log file. + logFileMaxSize: 100 + # -- Max number of log files. + logFileMaxNum: 4 + # -- Extra command-line arguments for antrea-controller. + extraArgs: [] + # -- Resource requests and limits for the antrea-controller container. + resources: + requests: + cpu: "200m" + +flowCollector: + # -- IPFIX collector address as a string with format :[][:]. + collectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + # -- Determines how often the flow exporter polls for new connections. + flowPollInterval: "5s" + # -- timeout after which a flow record is sent to the collector for active + # flows. + activeFlowExportTimeout: "5s" + # -- timeout after which a flow record is sent to the collector for idle + # flows. + idleFlowExportTimeout: "15s" + +cni: + # -- Chained plugins to use alongside antrea-cni. + plugins: + portmap: true + bandwidth: true + # -- Installation path of CNI binaries on the host. + hostBinPath: "/opt/cni/bin" + # -- CNI binaries shipped with Antrea for which installation should be + # skipped. + skipBinaries: [] + +webhooks: + labelsMutator: + ## -- Mutate all namespaces to add the "antrea.io/metadata.name" label. + enable: false + +## -- Global log verbosity switch for all Antrea components. +logVerbosity: 0 + +## -- Install and configure Whereabouts, for use by the antrea-agent. +whereabouts: + enable: false + +testing: + ## -- enable code coverage measurement (used when testing Antrea only). + coverage: false + simulator: + enable: false diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml index f5f591469c3..df3468f7844 100644 --- a/build/yamls/antrea-aks.yml +++ b/build/yamls/antrea-aks.yml @@ -1,2742 +1,39 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +--- +# Source: antrea/templates/agent/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount metadata: + name: antrea-agent + namespace: kube-system labels: app: antrea - name: antreaagentinfos.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: AntreaAgentInfo - plural: antreaagentinfos - shortNames: - - aai - singular: antreaagentinfo - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Health status of this Agent - jsonPath: .agentConditions[?(@.type=='AgentHealthy')].status - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: .agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime - name: Last Heartbeat - type: date - - description: Version of this Agent - jsonPath: .version - name: Version - priority: 1 - type: string - - description: Node on which this Agent is running - jsonPath: .nodeRef.name - name: Node - priority: 1 - type: string - - description: Number of local Pods managed by this Agent - jsonPath: .localPodNum - name: Num Pods - priority: 2 - type: integer - - description: Subnets used by this Agent for Pod IPAM - jsonPath: .nodeSubnets - name: Subnets - priority: 2 - type: string - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true --- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +# Source: antrea/templates/antctl/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount metadata: + name: antctl + namespace: kube-system labels: app: antrea - name: antreacontrollerinfos.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: AntreaControllerInfo - plural: antreacontrollerinfos - shortNames: - - aci - singular: antreacontrollerinfo - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Health status of the Controller - jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].status - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime - name: Last Heartbeat - type: date - - description: Version of the Controller - jsonPath: .version - name: Version - priority: 1 - type: string - - description: Number of Agents connected to the Controller - jsonPath: .connectedAgentNum - name: Connected Agents - priority: 1 - type: integer - - description: Node on which the Controller is running - jsonPath: .nodeRef.name - name: Node - priority: 1 - type: string - - description: Number of Network Policies computed by Controller - jsonPath: .networkPolicyControllerInfo.networkPolicyNum - name: Num Network Policies - priority: 2 - type: integer - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true --- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +# Source: antrea/templates/controller/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount metadata: + name: antrea-controller + namespace: kube-system labels: app: antrea - name: clustergroups.crd.antrea.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: antrea - namespace: kube-system - path: /convert/clustergroup - conversionReviewVersions: - - v1 - - v1beta1 - group: crd.antrea.io - names: - kind: ClusterGroup - plural: clustergroups - shortNames: - - cg - singular: clustergroup - scope: Cluster - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - childGroups: - items: - type: string - type: array - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - ipBlocks: - items: - properties: - cidr: - format: cidr - type: string - type: object - type: array - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceReference: - properties: - name: - type: string - namespace: - type: string - type: object - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - type: string - status: - type: string - type: - type: string - type: object - type: array - type: object - type: object - served: true - storage: false - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - properties: - childGroups: - items: - type: string - type: array - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlocks: - items: - properties: - cidr: - format: cidr - type: string - type: object - type: array - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceReference: - properties: - name: - type: string - namespace: - type: string - type: object - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - type: string - status: - type: string - type: - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} --- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +# Source: antrea/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap metadata: + name: antrea-config + namespace: kube-system labels: app: antrea - name: clusternetworkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ClusterNetworkPolicy - plural: clusternetworkpolicies - shortNames: - - acnp - singular: clusternetworkpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The Tier to which this ClusterNetworkPolicy belongs to. - jsonPath: .spec.tier - name: Tier - type: string - - description: The Priority of this ClusterNetworkPolicy relative to other policies. - format: float - jsonPath: .spec.priority - name: Priority - type: number - - description: The total number of Nodes that should realize the NetworkPolicy. - format: int32 - jsonPath: .status.desiredNodesRealized - name: Desired Nodes - type: number - - description: The number of Nodes that have realized the NetworkPolicy. - format: int32 - jsonPath: .status.currentNodesRealized - name: Current Nodes - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - egress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - enableLogging: - type: boolean - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - to: - items: - properties: - fqdn: - type: string - group: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - properties: - match: - type: string - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - toServices: - items: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: array - required: - - action - type: object - type: array - ingress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - enableLogging: - type: boolean - from: - items: - properties: - group: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - properties: - match: - enum: - - Self - type: string - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - required: - - action - type: object - type: array - priority: - format: float - maximum: 10000 - minimum: 1 - type: number - tier: - type: string - required: - - priority - type: object - status: - properties: - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - observedGeneration: - type: integer - phase: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: egresses.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Egress - plural: egresses - shortNames: - - eg - singular: egress - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Specifies the SNAT IP address for the selected workloads. - jsonPath: .spec.egressIP - name: EgressIP - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - anyOf: - - required: - - egressIP - - required: - - externalIPPool - properties: - appliedTo: - properties: - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - egressIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - externalIPPool: - type: string - required: - - appliedTo - type: object - status: - properties: - egressNode: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalentities.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalEntity - plural: externalentities - shortNames: - - ee - singular: externalentity - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - endpoints: - items: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - name: - type: string - type: object - type: array - externalNode: - type: string - ports: - items: - properties: - name: - type: string - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - served: false - storage: false ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalippools.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalIPPool - plural: externalippools - shortNames: - - eip - singular: externalippool - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - ipRanges: - items: - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - type: object - type: array - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - required: - - ipRanges - - nodeSelector - type: object - status: - properties: - usage: - properties: - total: - type: integer - used: - type: integer - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: ippools.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: IPPool - plural: ippools - shortNames: - - ipp - singular: ippool - scope: Cluster - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - ipRanges: - items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength - properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - vlan: - maximum: 4094 - minimum: 0 - type: integer - type: object - type: array - ipVersion: - type: integer - required: - - ipVersion - - ipRanges - type: object - status: - properties: - ipAddresses: - items: - properties: - ipAddress: - type: string - owner: - properties: - pod: - properties: - containerID: - type: string - ifName: - type: string - name: - type: string - namespace: - type: string - type: object - statefulSet: - properties: - index: - type: integer - name: - type: string - namespace: - type: string - type: object - type: object - phase: - type: string - type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: networkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: NetworkPolicy - plural: networkpolicies - shortNames: - - anp - singular: networkpolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The Tier to which this Antrea NetworkPolicy belongs to. - jsonPath: .spec.tier - name: Tier - type: string - - description: The Priority of this Antrea NetworkPolicy relative to other policies. - format: float - jsonPath: .spec.priority - name: Priority - type: number - - description: The total number of Nodes that should realize the NetworkPolicy. - format: int32 - jsonPath: .status.desiredNodesRealized - name: Desired Nodes - type: number - - description: The number of Nodes that have realized the NetworkPolicy. - format: int32 - jsonPath: .status.currentNodesRealized - name: Current Nodes - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - egress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - to: - items: - properties: - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - fqdn: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - toServices: - items: - properties: - name: - type: string - namespace: - type: string - required: - - name - type: object - type: array - required: - - action - type: object - type: array - ingress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - from: - items: - properties: - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - required: - - action - type: object - type: array - priority: - format: float - maximum: 10000 - minimum: 1 - type: number - tier: - type: string - required: - - priority - type: object - status: - properties: - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - observedGeneration: - type: integer - phase: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: tiers.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Tier - plural: tiers - shortNames: - - tr - singular: tier - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The Priority of this Tier relative to other Tiers. - jsonPath: .spec.priority - name: Priority - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - description: - type: string - priority: - maximum: 255 - minimum: 0 - type: integer - required: - - priority - type: object - type: object - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: traceflows.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Traceflow - plural: traceflows - shortNames: - - tf - singular: traceflow - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The phase of the Traceflow. - jsonPath: .status.phase - name: Phase - type: string - - description: The name of the source Pod. - jsonPath: .spec.source.pod - name: Source-Pod - priority: 10 - type: string - - description: The name of the destination Pod. - jsonPath: .spec.destination.pod - name: Destination-Pod - priority: 10 - type: string - - description: The IP address of the destination. - jsonPath: .spec.destination.ip - name: Destination-IP - priority: 10 - type: string - - description: Trace live traffic. - jsonPath: .spec.liveTraffic - name: Live-Traffic - priority: 10 - type: boolean - - description: Capture only the dropped packet. - jsonPath: .spec.droppedOnly - name: Dropped-Only - priority: 10 - type: boolean - - description: Timeout in seconds. - jsonPath: .spec.timeout - name: Timeout - priority: 10 - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - destination: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - namespace: - type: string - pod: - type: string - service: - type: string - type: object - droppedOnly: - type: boolean - liveTraffic: - type: boolean - packet: - properties: - ipHeader: - properties: - flags: - type: integer - protocol: - type: integer - srcIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - ttl: - type: integer - type: object - ipv6Header: - properties: - hopLimit: - type: integer - nextHeader: - type: integer - srcIP: - format: ipv6 - type: string - type: object - transportHeader: - properties: - icmp: - properties: - id: - type: integer - sequence: - type: integer - type: object - tcp: - properties: - dstPort: - type: integer - flags: - type: integer - srcPort: - type: integer - type: object - udp: - properties: - dstPort: - type: integer - srcPort: - type: integer - type: object - type: object - type: object - source: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - namespace: - type: string - pod: - type: string - type: object - timeout: - type: integer - type: object - status: - properties: - capturedPacket: - properties: - dstIP: - type: string - ipHeader: - properties: - flags: - type: integer - protocol: - type: integer - ttl: - type: integer - type: object - ipv6Header: - properties: - hopLimit: - type: integer - nextHeader: - type: integer - type: object - length: - type: integer - srcIP: - type: string - transportHeader: - properties: - icmp: - properties: - id: - type: integer - sequence: - type: integer - type: object - tcp: - properties: - dstPort: - type: integer - flags: - type: integer - srcPort: - type: integer - type: object - udp: - properties: - dstPort: - type: integer - srcPort: - type: integer - type: object - type: object - type: object - dataplaneTag: - type: integer - phase: - type: string - reason: - type: string - results: - items: - properties: - node: - type: string - observations: - items: - properties: - action: - type: string - component: - type: string - componentInfo: - type: string - dstMAC: - type: string - networkPolicy: - type: string - pod: - type: string - translatedDstIP: - type: string - translatedSrcIP: - type: string - ttl: - type: integer - tunnelDstIP: - type: string - type: object - type: array - role: - type: string - timestamp: - type: integer - type: object - type: array - startTime: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antctl - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antrea-agent - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antrea-controller - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-antrea-clustergroups-edit -rules: -- apiGroups: - - crd.antrea.io - resources: - - clustergroups - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-antrea-clustergroups-view -rules: -- apiGroups: - - crd.antrea.io - resources: - - clustergroups - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-antrea-policies-edit -rules: -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-antrea-policies-view -rules: -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-traceflows-edit -rules: -- apiGroups: - - crd.antrea.io - resources: - - traceflows - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-traceflows-view -rules: -- apiGroups: - - crd.antrea.io - resources: - - traceflows - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antctl -rules: -- apiGroups: - - controlplane.antrea.io - resources: - - networkpolicies - - appliedtogroups - - addressgroups - verbs: - - get - - list -- apiGroups: - - stats.antrea.io - resources: - - networkpolicystats - - antreaclusternetworkpolicystats - - antreanetworkpolicystats - verbs: - - get - - list -- apiGroups: - - system.antrea.io - resources: - - controllerinfos - - agentinfos - verbs: - - get -- apiGroups: - - system.antrea.io - resources: - - supportbundles - verbs: - - get - - post -- apiGroups: - - system.antrea.io - resources: - - supportbundles/download - verbs: - - get -- nonResourceURLs: - - /agentinfo - - /addressgroups - - /appliedtogroups - - /loglevel - - /networkpolicies - - /ovsflows - - /ovstracing - - /podinterfaces - - /featuregates - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-agent -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - pods/status - verbs: - - patch -- apiGroups: - - "" - resources: - - endpoints - - services - - namespaces - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - services/status - verbs: - - update -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - antreaagentinfos - verbs: - - get - - create - - update - - delete -- apiGroups: - - controlplane.antrea.io - resources: - - networkpolicies - - appliedtogroups - - addressgroups - verbs: - - get - - watch - - list -- apiGroups: - - controlplane.antrea.io - resources: - - egressgroups - verbs: - - get - - watch - - list -- apiGroups: - - controlplane.antrea.io - resources: - - nodestatssummaries - verbs: - - create -- apiGroups: - - controlplane.antrea.io - resources: - - networkpolicies/status - verbs: - - create - - get -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - "" - resourceNames: - - extension-apiserver-authentication - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - antrea-ca - resources: - - configmaps - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - traceflows - - traceflows/status - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - egresses - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - egresses/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - externalippools - - ippools - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - ippools/status - verbs: - - update -- apiGroups: - - k8s.cni.cncf.io - resources: - - network-attachment-definitions - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-cluster-identity-reader -rules: -- apiGroups: - - "" - resourceNames: - - antrea-cluster-identity - resources: - - configmaps - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-controller -rules: -- apiGroups: - - "" - resources: - - pods - - services - - namespaces - - configmaps - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - watch - - list - - patch -- apiGroups: - - "" - resources: - - services/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - watch - - list -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - update -- apiGroups: - - "" - resourceNames: - - extension-apiserver-authentication - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - antrea-ca - - antrea-cluster-identity - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create -- apiGroups: - - apiregistration.k8s.io - resourceNames: - - v1alpha1.stats.antrea.io - - v1beta1.system.antrea.io - - v1beta2.controlplane.antrea.io - resources: - - apiservices - verbs: - - get - - update -- apiGroups: - - apiregistration.k8s.io - resourceNames: - - v1beta1.networking.antrea.tanzu.vmware.com - - v1beta1.controlplane.antrea.tanzu.vmware.com - - v1alpha1.stats.antrea.tanzu.vmware.com - - v1beta1.system.antrea.tanzu.vmware.com - - v1beta2.controlplane.antrea.tanzu.vmware.com - resources: - - apiservices - verbs: - - delete -- apiGroups: - - admissionregistration.k8s.io - resourceNames: - - labelsmutator.antrea.io - - crdmutator.antrea.io - - crdvalidator.antrea.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - get - - update -- apiGroups: - - crd.antrea.io - resources: - - antreacontrollerinfos - verbs: - - get - - create - - update - - delete -- apiGroups: - - crd.antrea.io - resources: - - antreaagentinfos - verbs: - - list - - delete -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies/status - - networkpolicies/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - tiers - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - traceflows - - traceflows/status - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - externalentities - - clustergroups - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - clustergroups/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - egresses - verbs: - - get - - watch - - list - - update - - patch -- apiGroups: - - crd.antrea.io - resources: - - externalippools - - ippools - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - externalippools/status - - ippools/status - verbs: - - update -- apiGroups: - - apps - resources: - - statefulsets - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antctl - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antctl -subjects: -- kind: ServiceAccount - name: antctl - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antrea-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antrea-agent -subjects: -- kind: ServiceAccount - name: antrea-agent - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antrea-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antrea-controller -subjects: -- kind: ServiceAccount - name: antrea-controller - namespace: kube-system ---- -apiVersion: v1 data: antrea-agent.conf: | # FeatureGates is a map of feature names to bools that enable or disable experimental features. @@ -2790,19 +87,18 @@ data: # Name of the OpenVSwitch bridge antrea-agent will create and use. # Make sure it doesn't conflict with your existing OpenVSwitch bridges. - #ovsBridge: br-int + ovsBridge: "br-int" # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: # - system # - netdev # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run - # OVS in userspace mode (not fully supported yet). Userspace mode requires the tun device driver to - # be available. + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. #ovsDatapathType: system # Name of the interface antrea-agent will create and use for host <--> pod communication. # Make sure it doesn't conflict with your existing interfaces. - #hostGateway: antrea-gw0 + hostGateway: "antrea-gw0" # Determines how traffic is encapsulated. It has the following options: # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network @@ -2814,14 +110,14 @@ data: # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod # IPAM and connectivity to the primary CNI. # - trafficEncapMode: networkPolicyOnly + trafficEncapMode: "networkPolicyOnly" # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never # performs SNAT and this option will be ignored; for other modes it must be set to false. - #noSNAT: false + noSNAT: false # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, # this option will not take effect. Supported values: @@ -2830,7 +126,7 @@ data: # - gre # - stt # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). - #tunnelType: geneve + tunnelType: "geneve" # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. # It has the following options: @@ -2840,7 +136,7 @@ data: # the PSK value must be passed to Antrea Agent through an environment # variable: ANTREA_IPSEC_PSK. # - wireGuard: Enable WireGuard for tunnel traffic encryption. - #trafficEncryptionMode: none + trafficEncryptionMode: "none" # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are @@ -2849,35 +145,40 @@ data: # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. - #enableBridgingMode: false + enableBridgingMode: false # Default MTU to use for the host gateway interface and the network interface of each Pod. # If omitted, antrea-agent will discover the MTU of the Node's primary interface and # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). - #defaultMTU: 0 + defaultMTU: 0 # wireGuard specifies WireGuard related configurations. wireGuard: - # The port for WireGuard to receive traffic. - # port: 51820 + # The port for WireGuard to receive traffic. + port: 51820 egress: - # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. - # exceptCIDRs: [] + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + serviceCIDR: "" # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. # No default value for this field. - #serviceCIDRv6: + serviceCIDRv6: "" # The port for the antrea-agent APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-agent` container must be set to the same value. - #apiPort: 10350 + apiPort: 10350 # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - #enablePrometheusMetrics: true + enablePrometheusMetrics: true # Provide the IPFIX collector address as a string with format :[][:]. # HOST can either be the DNS name or the IP of the Flow Collector. For example, @@ -2888,50 +189,50 @@ data: # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and # "udp" protocols. "tls" is used for securing communication between flow exporter and # flow aggregator. - #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" # Provide flow poll interval as a duration string. This determines how often the # flow exporter dumps connections from the conntrack module. Flow poll interval # should be greater than or equal to 1s (one second). # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #flowPollInterval: "5s" + flowPollInterval: "5s" # Provide the active flow export timeout, which is the timeout after which a flow # record is sent to the collector for active flows. Thus, for flows with a continuous # stream of packets, a flow record will be exported to the collector once the elapsed # time since the last export event is equal to the value of this timeout. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #activeFlowExportTimeout: "30s" + activeFlowExportTimeout: "5s" # Provide the idle flow export timeout, which is the timeout after which a flow # record is sent to the collector for idle flows. A flow is considered idle if no # packet matching this flow has been observed since the last export event. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #idleFlowExportTimeout: "15s" + idleFlowExportTimeout: "15s" nodePortLocal: # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature # gate is also enabled (which is the default). - # enable: false + enable: false # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port # from that range will be assigned whenever a Pod's container defines a specific port to be exposed # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic # directed to that port will be forwarded to the Pod. - # portRange: 61000-62000 + portRange: "61000-62000" # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. - #kubeAPIServerOverride: "" + kubeAPIServerOverride: "" # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. - #tlsCipherSuites: + tlsCipherSuites: "" # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - #tlsMinVersion: + tlsMinVersion: "" # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. # If there are multiple IP addresses configured on the interface, the first one is used. The IP @@ -2940,11 +241,11 @@ data: # 1. transportInterface # 2. transportInterfaceCIDRs # 3. The Node IP - #transportInterface: + transportInterface: "" # The names of the interfaces on Nodes that are used to forward multicast traffic. # Defaults to transport interface if not set. - #multicastInterfaces: [] + multicastInterfaces: # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The @@ -2953,7 +254,7 @@ data: # 1. transportInterface # 2. transportInterfaceCIDRs # 3. The Node IP - #transportInterfaceCIDRs: [,] + transportInterfaceCIDRs: # Option antreaProxy contains AntreaProxy related configuration options. antreaProxy: @@ -2962,22 +263,22 @@ data: # feature to be enabled. # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access # apiserver directly. - #proxyAll: false + proxyAll: false # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. # Note that the option is only valid when proxyAll is true. - #nodePortAddresses: [] + nodePortAddresses: # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name # with Namespace (e.g. kube-system/kube-dns) - #skipServices: [] + skipServices: # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. - #proxyLoadBalancerIPs: true + proxyLoadBalancerIPs: true antrea-cni.conflist: | { "cniVersion":"0.3.0", @@ -2988,11 +289,13 @@ data: "ipam": { "type": "host-local" } - }, + } + , { "type": "portmap", "capabilities": {"portMappings": true} - }, + } + , { "type": "bandwidth", "capabilities": {"bandwidth": true} @@ -3030,659 +333,3317 @@ data: # The port for the antrea-controller APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-controller` container must be set to the same value. - #apiPort: 10349 + apiPort: 10349 # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - #enablePrometheusMetrics: true + enablePrometheusMetrics: true # Indicates whether to use auto-generated self-signed TLS certificate. - # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: # ca.crt: # tls.crt: # tls.key: - # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the - # antrea-controller container. - #selfSignedCert: true + selfSignedCert: true # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. - #tlsCipherSuites: + tlsCipherSuites: "" # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - #tlsMinVersion: + tlsMinVersion: "" nodeIPAM: - # Enable the integrated Node IPAM controller within the Antrea controller. - # enableNodeIPAM: false - - # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. - # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. - # Value ignored when enableNodeIPAM is false. - # clusterCIDRs: [] - - # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. - # Value ignored when enableNodeIPAM is false. - # serviceCIDR: - # serviceCIDRv6: - - # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. - # nodeCIDRMaskSizeIPv4: 24 - - # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. - # nodeCIDRMaskSizeIPv6: 64 -kind: ConfigMap + # Enable the integrated Node IPAM controller within the Antrea controller. + enableNodeIPAM: false + # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. + # Value ignored when enableNodeIPAM is false. + clusterCIDRs: + # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + serviceCIDR: "" + serviceCIDRv6: "" + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + nodeCIDRMaskSizeIPv4: 24 + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + nodeCIDRMaskSizeIPv6: 64 +--- +# Source: antrea/templates/crds/antreaagentinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: antreaagentinfos.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai +--- +# Source: antrea/templates/crds/antreacontrollerinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: antreacontrollerinfos.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci +--- +# Source: antrea/templates/crds/clustergroup.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clustergroups.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + - name: v1alpha3 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: "antrea" + namespace: "kube-system" + path: "/convert/clustergroup" + scope: Cluster + names: + plural: clustergroups + singular: clustergroup + kind: ClusterGroup + shortNames: + - cg +--- +# Source: antrea/templates/crds/clusternetworkpolicy.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusternetworkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this ClusterNetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + fqdn: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + toServices: + type: array + items: + type: object + required: + - name + - namespace + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + scope: Cluster + names: + plural: clusternetworkpolicies + singular: clusternetworkpolicy + kind: ClusterNetworkPolicy + shortNames: + - acnp +--- +# Source: antrea/templates/crds/egress.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: egresses.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - appliedTo + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + egressIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + externalIPPool: + type: string + status: + type: object + properties: + egressNode: + type: string + additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + subresources: + status: {} + scope: Cluster + names: + plural: egresses + singular: egress + kind: Egress + shortNames: + - eg +--- +# Source: antrea/templates/crds/externalentity.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalentities.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + endpoints: + type: array + items: + type: object + properties: + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + name: + type: string + externalNode: + type: string + - name: v1alpha1 + served: false + storage: false + schema: + openAPIV3Schema: + type: object + scope: Namespaced + names: + plural: externalentities + singular: externalentity + kind: ExternalEntity + shortNames: + - ee +--- +# Source: antrea/templates/crds/externalippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + scope: Cluster + names: + plural: externalippools + singular: externalippool + kind: ExternalIPPool + shortNames: + - eip +--- +# Source: antrea/templates/crds/ippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + required: + - ipVersion + - ipRanges + type: object + properties: + ipVersion: + type: integer + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + vlan: + type: integer + minimum: 0 + maximum: 4094 + type: object + type: array + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + name: + type: string + namespace: + type: string + containerID: + type: string + ifName: + type: string + type: object + statefulSet: + properties: + name: + type: string + namespace: + type: string + index: + type: integer + type: object + type: object + phase: + type: string + type: object + type: array + type: object + subresources: + status: {} + scope: Cluster + names: + plural: ippools + singular: ippool + kind: IPPool + shortNames: + - ipp +--- +# Source: antrea/templates/crds/networkpolicy.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this Antrea NetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + fqdn: + type: string + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + toServices: + type: array + items: + type: object + required: + - name + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + scope: Namespaced + names: + plural: networkpolicies + singular: networkpolicy + kind: NetworkPolicy + shortNames: + - anp +--- +# Source: antrea/templates/crds/tier.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tiers.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Priority + type: integer + description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + required: + - priority + type: object + properties: + priority: + type: integer + minimum: 0 + maximum: 255 + description: + type: string + scope: Cluster + names: + plural: tiers + singular: tier + kind: Tier + shortNames: + - tr +--- +# Source: antrea/templates/crds/traceflow.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: traceflows.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.phase + description: The phase of the Traceflow. + name: Phase + type: string + - jsonPath: .spec.source.pod + description: The name of the source Pod. + name: Source-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.pod + description: The name of the destination Pod. + name: Destination-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.ip + description: The IP address of the destination. + name: Destination-IP + type: string + priority: 10 + - jsonPath: .spec.liveTraffic + description: Trace live traffic. + name: Live-Traffic + type: boolean + priority: 10 + - jsonPath: .spec.droppedOnly + description: Capture only the dropped packet. + name: Dropped-Only + type: boolean + priority: 10 + - jsonPath: .spec.timeout + description: Timeout in seconds. + name: Timeout + type: integer + priority: 10 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + properties: + source: + type: object + properties: + pod: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + destination: + type: object + properties: + pod: + type: string + service: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + packet: + type: object + properties: + ipHeader: + type: object + properties: + srcIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + protocol: + type: integer + ttl: + type: integer + flags: + type: integer + ipv6Header: + type: object + properties: + srcIP: + type: string + format: ipv6 + nextHeader: + type: integer + hopLimit: + type: integer + transportHeader: + type: object + properties: + icmp: + type: object + properties: + id: + type: integer + sequence: + type: integer + udp: + type: object + properties: + srcPort: + type: integer + dstPort: + type: integer + tcp: + type: object + properties: + srcPort: + type: integer + dstPort: + type: integer + flags: + type: integer + liveTraffic: + type: boolean + droppedOnly: + type: boolean + timeout: + type: integer + status: + type: object + properties: + reason: + type: string + dataplaneTag: + type: integer + phase: + type: string + startTime: + type: string + results: + type: array + items: + type: object + properties: + node: + type: string + role: + type: string + timestamp: + type: integer + observations: + type: array + items: + type: object + properties: + component: + type: string + componentInfo: + type: string + action: + type: string + pod: + type: string + dstMAC: + type: string + networkPolicy: + type: string + ttl: + type: integer + translatedSrcIP: + type: string + translatedDstIP: + type: string + tunnelDstIP: + type: string + capturedPacket: + properties: + srcIP: + type: string + dstIP: + type: string + length: + type: integer + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + transportHeader: + properties: + tcp: + properties: + dstPort: + type: integer + srcPort: + type: integer + flags: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + type: object + type: object + subresources: + status: {} + scope: Cluster + names: + plural: traceflows + singular: traceflow + kind: Traceflow + shortNames: + - tf +--- +# Source: antrea/templates/agent/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-agent + labels: + app: antrea +rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - pods/status + verbs: + - patch + - apiGroups: + - "" + resources: + - endpoints + - services + - namespaces + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - services/status + verbs: + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete + - apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list + - apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list + - apiGroups: + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create + - apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + # This is the content of built-in role kube-system/extension-apiserver-authentication-reader. + # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will + # have permission issue after bumping up apiserver library to a version that supports dynamic authentication. + # See https://github.com/kubernetes/kubernetes/pull/85375 + # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on + # the extension-apiserver-authentication role. + - apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - antrea-ca + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - egresses/status + verbs: + - update + - apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - ippools/status + verbs: + - update + - apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - get + - list + - watch +--- +# Source: antrea/templates/antctl/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antctl + labels: + app: antrea +rules: + - apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list + - apiGroups: + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list + - apiGroups: + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get + - apiGroups: + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post + - apiGroups: + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get + - nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + - /featuregates + verbs: + - get +--- +# Source: antrea/templates/cluster-identity-reader/clusterrolebinding.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-cluster-identity-reader + labels: + app: antrea +rules: + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - antrea-cluster-identity + verbs: + - get +--- +# Source: antrea/templates/controller/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-controller + labels: + app: antrea +rules: + - apiGroups: + - "" + resources: + - pods + - services + - namespaces + - configmaps + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch + - apiGroups: + - "" + resources: + - services/status + verbs: + - update + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update + # This is the content of built-in role kube-system/extension-apiserver-authentication-reader. + # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-controller) will + # have permission issue after bumping up apiserver library to a version that supports dynamic authentication. + # See https://github.com/kubernetes/kubernetes/pull/85375 + # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on + # the extension-apiserver-authentication role. + - apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - antrea-ca + - antrea-cluster-identity + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + resourceNames: + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + verbs: + - get + - update + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + resourceNames: + - v1beta1.networking.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + verbs: + - delete + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + resourceNames: + # always give permissions for labelsmutator.antrea.io, even when the + # feature is disabled, to avoid errors in antrea-controller when updating + # the CA cert. + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + verbs: + - get + - update + - apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete + - apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete + - apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update + - apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update + - apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - update + - patch + - apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - externalippools/status + - ippools/status + verbs: + - update + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: + name: aggregate-antrea-policies-edit labels: app: antrea - name: antrea-config-mkbgmf6ct6 - namespace: kube-system + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clusternetworkpolicies", "networkpolicies"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] --- -apiVersion: v1 -kind: Service +# Source: antrea/templates/crds-rbac/clusterroles.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: aggregate-antrea-policies-view + labels: + app: antrea + # Add these permissions to the "view" default role. + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clusternetworkpolicies", "networkpolicies"] + verbs: ["get", "list", "watch"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-traceflows-edit + labels: + app: antrea + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["traceflows"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 metadata: + name: aggregate-traceflows-view + labels: + app: antrea + # Add these permissions to the "view" default role. + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["traceflows"] + verbs: ["get", "list", "watch"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-antrea-clustergroups-edit + labels: + app: antrea + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clustergroups"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: aggregate-antrea-clustergroups-view + labels: + app: antrea + # Add these permissions to the "view" default role. + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clustergroups"] + verbs: ["get", "list", "watch"] +--- +# Source: antrea/templates/agent/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-agent + labels: + app: antrea +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: + - kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +# Source: antrea/templates/antctl/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: + - kind: ServiceAccount + name: antctl + namespace: kube-system +--- +# Source: antrea/templates/controller/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-controller labels: app: antrea +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: + - kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +# Source: antrea/templates/controller/service.yaml +apiVersion: v1 +kind: Service +metadata: name: antrea namespace: kube-system + labels: + app: antrea spec: ports: - - port: 443 - protocol: TCP - targetPort: api + - port: 443 + protocol: TCP + targetPort: api selector: app: antrea component: antrea-controller --- +# Source: antrea/templates/agent/daemonset.yaml apiVersion: apps/v1 -kind: Deployment +kind: DaemonSet metadata: + name: antrea-agent + namespace: kube-system labels: app: antrea - component: antrea-controller + component: antrea-agent +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + updateStrategy: + type: RollingUpdate + template: + metadata: + annotations: + # Starting with v1.21, Kubernetes supports default container annotation. + # Using "kubectl logs/exec/attach/cp" doesn't have to specify "-c antrea-agent" when troubleshooting. + kubectl.kubernetes.io/default-container: antrea-agent + # Automatically restart Pods with a RollingUpdate if the ConfigMap changes + # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments + checksum/config: cb46b22ec258614e4df2cc06aaaba03d2a3ecd008de23288dbdce9cd3cc68647 + labels: + app: antrea + component: antrea-agent + spec: + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + priorityClassName: system-node-critical + nodeSelector: + kubernetes.io/os: linux + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + serviceAccountName: antrea-agent + initContainers: + - name: install-cni + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 100m + command: ["install_cni_chaining"] + securityContext: + capabilities: + add: + # SYS_MODULE is required to load the OVS kernel module. + - SYS_MODULE + env: + # SKIP_CNI_BINARIES takes in values as a comma separated list of + # binaries that need to be skipped for installation, e.g. "portmap, bandwidth". + - name: SKIP_CNI_BINARIES + value: "" + volumeMounts: + - name: antrea-config + mountPath: /etc/antrea/antrea-cni.conflist + subPath: antrea-cni.conflist + readOnly: true + - name: host-cni-conf + mountPath: /host/etc/cni/net.d + - name: host-cni-bin + mountPath: /host/opt/cni/bin + # For loading the OVS kernel module. + - name: host-lib-modules + mountPath: /lib/modules + readOnly: true + # For changing the default permissions of the run directory. + - name: host-var-run-antrea + mountPath: /var/run/antrea + containers: + - name: antrea-agent + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + command: ["antrea-agent"] + # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).- + args: + - "--config=/etc/antrea/antrea-agent.conf" + - "--logtostderr=false" + - "--log_dir=/var/log/antrea" + - "--alsologtostderr" + - "--log_file_max_size=100" + - "--log_file_max_num=4" + env: + # Provide pod and node information for clusterinformation CRD. + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + requests: + cpu: 200m + ports: + - containerPort: 10350 + name: api + protocol: TCP + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + readinessProbe: + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + # In large-scale clusters, it may take up to 40~50 seconds for the antrea-agent to reconnect to the antrea + # Service after the antrea-controller restarts. The antrea-agent shouldn't be reported as NotReady in this + # scenario, otherwise the DaemonSet controller would restart all agents at once, as opposed to performing a + # rolling update. Set failureThreshold to 8 so it can tolerate 70s of disconnection. + failureThreshold: 8 + securityContext: + # antrea-agent needs to perform sysctl configuration. + privileged: true + volumeMounts: + - name: antrea-config + mountPath: /etc/antrea/antrea-agent.conf + subPath: antrea-agent.conf + readOnly: true + - name: host-var-run-antrea + mountPath: /var/run/antrea + - name: host-var-run-antrea + mountPath: /var/run/openvswitch + subPath: openvswitch + # host-local IPAM stores allocated IP addresses as files in /var/lib/cni/networks/$NETWORK_NAME. + # Mount a sub-directory of host-var-run-antrea to it for persistence of IP allocation. + - name: host-var-run-antrea + mountPath: /var/lib/cni + subPath: cni + # We need to mount both the /proc directory and the /var/run/netns directory so that + # antrea-agent can open the network namespace path when setting up Pod + # networking. Different container runtimes may use /proc or /var/run/netns when invoking + # the CNI commands. Docker uses /proc and containerd uses /var/run/netns. + - name: host-var-log-antrea + mountPath: /var/log/antrea + - name: host-proc + mountPath: /host/proc + readOnly: true + - name: host-var-run-netns + mountPath: /host/var/run/netns + readOnly: true + # When a container is created, a mount point for the network namespace is added under + # /var/run/netns on the host, which needs to be propagated to the antrea-agent container. + mountPropagation: HostToContainer + - name: xtables-lock + mountPath: /run/xtables.lock + - name: antrea-ovs + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 200m + command: ["start_ovs"] + args: + - "--log_file_max_size=100" + - "--log_file_max_num=4" + securityContext: + # capabilities required by OVS daemons + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + livenessProbe: + exec: + # docker CRI doesn't honor timeoutSeconds, add "timeout" to the command as a workaround. + # https://github.com/kubernetes/kubernetes/issues/51901 + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + initialDelaySeconds: 5 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 5 + volumeMounts: + - name: host-var-run-antrea + mountPath: /var/run/openvswitch + subPath: openvswitch + - name: host-var-log-antrea + mountPath: /var/log/openvswitch + subPath: openvswitch + volumes: + - name: antrea-config + configMap: + name: antrea-config + - name: host-cni-conf + hostPath: + path: /etc/cni/net.d + - name: host-cni-bin + hostPath: + path: /opt/cni/bin + - name: host-proc + hostPath: + path: /proc + - name: host-var-run-netns + hostPath: + path: /var/run/netns + - name: host-var-run-antrea + hostPath: + path: /var/run/antrea + # we use subPath to create run subdirectories for different component (e.g. OVS) and + # subPath requires the base volume to exist + type: DirectoryOrCreate + - name: host-var-log-antrea + hostPath: + path: /var/log/antrea + # we use subPath to create logging subdirectories for different component (e.g. OVS) + type: DirectoryOrCreate + - name: host-lib-modules + hostPath: + path: /lib/modules + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate +--- +# Source: antrea/templates/controller/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: name: antrea-controller namespace: kube-system + labels: + app: antrea + component: antrea-controller spec: - replicas: 1 + strategy: + # Ensure the existing Pod is stopped before the new one is created. + type: Recreate selector: matchLabels: app: antrea component: antrea-controller - strategy: - type: Recreate + replicas: 1 template: metadata: + annotations: + # Automatically restart Pod if the ConfigMap changes + # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments + checksum/config: cb46b22ec258614e4df2cc06aaaba03d2a3ecd008de23288dbdce9cd3cc68647 labels: app: antrea component: antrea-controller spec: - containers: - - args: - - --config - - /etc/antrea/antrea-controller.conf - - --logtostderr=false - - --log_dir=/var/log/antrea - - --alsologtostderr - - --log_file_max_size=100 - - --log_file_max_num=4 - - --v=0 - command: - - antrea-controller - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: SERVICEACCOUNT_NAME - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ANTREA_CONFIG_MAP_NAME - value: antrea-config-mkbgmf6ct6 - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 5 - httpGet: - host: localhost - path: /livez - port: api - scheme: HTTPS - periodSeconds: 10 - timeoutSeconds: 5 - name: antrea-controller - ports: - - containerPort: 10349 - name: api - protocol: TCP - readinessProbe: - failureThreshold: 5 - httpGet: - host: localhost - path: /readyz - port: api - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - requests: - cpu: 200m - volumeMounts: - - mountPath: /etc/antrea/antrea-controller.conf - name: antrea-config - readOnly: true - subPath: antrea-controller.conf - - mountPath: /var/run/antrea/antrea-controller-tls - name: antrea-controller-tls - - mountPath: /var/log/antrea - name: host-var-log-antrea - hostNetwork: true nodeSelector: kubernetes.io/os: linux + hostNetwork: true priorityClassName: system-cluster-critical - serviceAccountName: antrea-controller tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + serviceAccountName: antrea-controller + containers: + - name: antrea-controller + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 200m + command: ["antrea-controller"] + # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work). + args: + - "--config=/etc/antrea/antrea-controller.conf" + - "--logtostderr=false" + - "--log_dir=/var/log/antrea" + - "--alsologtostderr" + - "--log_file_max_size=100" + - "--log_file_max_num=4" + env: + # Provide pod and node information for clusterinformation CRD. + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # Provide ServiceAccount name for validation webhook. + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ANTREA_CONFIG_MAP_NAME + value: antrea-config + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + livenessProbe: + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + volumeMounts: + - name: antrea-config + mountPath: /etc/antrea/antrea-controller.conf + subPath: antrea-controller.conf + readOnly: true + - name: antrea-controller-tls + mountPath: /var/run/antrea/antrea-controller-tls + - name: host-var-log-antrea + mountPath: /var/log/antrea volumes: - - configMap: - name: antrea-config-mkbgmf6ct6 - name: antrea-config - - name: antrea-controller-tls - secret: - defaultMode: 256 - optional: true - secretName: antrea-controller-tls - - hostPath: - path: /var/log/antrea - type: DirectoryOrCreate - name: host-var-log-antrea + - name: antrea-config + configMap: + name: antrea-config + # Make it optional as we only read it when selfSignedCert=false. + - name: antrea-controller-tls + secret: + secretName: antrea-controller-tls + defaultMode: 0400 + optional: true + - name: host-var-log-antrea + hostPath: + path: /var/log/antrea + type: DirectoryOrCreate --- +# Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: + name: v1beta2.controlplane.antrea.io labels: app: antrea - name: v1alpha1.stats.antrea.io spec: - group: stats.antrea.io + group: controlplane.antrea.io groupPriorityMinimum: 100 + version: v1beta2 + versionPriority: 100 service: name: antrea namespace: kube-system - version: v1alpha1 - versionPriority: 100 --- +# Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: + name: v1beta1.system.antrea.io labels: app: antrea - name: v1beta1.system.antrea.io spec: group: system.antrea.io groupPriorityMinimum: 100 + version: v1beta1 + versionPriority: 100 service: name: antrea namespace: kube-system - version: v1beta1 - versionPriority: 100 --- +# Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: + name: v1alpha1.stats.antrea.io labels: app: antrea - name: v1beta2.controlplane.antrea.io spec: - group: controlplane.antrea.io + group: stats.antrea.io groupPriorityMinimum: 100 + version: v1alpha1 + versionPriority: 100 service: name: antrea namespace: kube-system - version: v1beta2 - versionPriority: 100 ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - app: antrea - component: antrea-agent - name: antrea-agent - namespace: kube-system -spec: - selector: - matchLabels: - app: antrea - component: antrea-agent - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: antrea-agent - labels: - app: antrea - component: antrea-agent - spec: - containers: - - args: - - --config - - /etc/antrea/antrea-agent.conf - - --logtostderr=false - - --log_dir=/var/log/antrea - - --alsologtostderr - - --log_file_max_size=100 - - --log_file_max_num=4 - - --v=0 - command: - - antrea-agent - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /bin/sh - - -c - - container_liveness_probe agent - failureThreshold: 5 - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - name: antrea-agent - ports: - - containerPort: 10350 - name: api - protocol: TCP - readinessProbe: - failureThreshold: 8 - httpGet: - host: localhost - path: /readyz - port: api - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - requests: - cpu: 200m - securityContext: - privileged: true - volumeMounts: - - mountPath: /etc/antrea/antrea-agent.conf - name: antrea-config - readOnly: true - subPath: antrea-agent.conf - - mountPath: /var/run/antrea - name: host-var-run-antrea - - mountPath: /var/run/openvswitch - name: host-var-run-antrea - subPath: openvswitch - - mountPath: /var/lib/cni - name: host-var-run-antrea - subPath: cni - - mountPath: /var/log/antrea - name: host-var-log-antrea - - mountPath: /host/proc - name: host-proc - readOnly: true - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: host-var-run-netns - readOnly: true - - mountPath: /run/xtables.lock - name: xtables-lock - - args: - - --log_file_max_size=100 - - --log_file_max_num=4 - command: - - start_ovs - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /bin/sh - - -c - - timeout 10 container_liveness_probe ovs - failureThreshold: 5 - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 10 - name: antrea-ovs - resources: - requests: - cpu: 200m - securityContext: - capabilities: - add: - - SYS_NICE - - NET_ADMIN - - SYS_ADMIN - - IPC_LOCK - volumeMounts: - - mountPath: /var/run/openvswitch - name: host-var-run-antrea - subPath: openvswitch - - mountPath: /var/log/openvswitch - name: host-var-log-antrea - subPath: openvswitch - dnsPolicy: ClusterFirstWithHostNet - hostNetwork: true - initContainers: - - command: - - install_cni_chaining - env: - - name: SKIP_CNI_BINARIES - value: "" - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - name: install-cni - resources: - requests: - cpu: 100m - securityContext: - capabilities: - add: - - SYS_MODULE - volumeMounts: - - mountPath: /etc/antrea/antrea-cni.conflist - name: antrea-config - readOnly: true - subPath: antrea-cni.conflist - - mountPath: /host/etc/cni/net.d - name: host-cni-conf - - mountPath: /host/opt/cni/bin - name: host-cni-bin - - mountPath: /lib/modules - name: host-lib-modules - readOnly: true - - mountPath: /var/run/antrea - name: host-var-run-antrea - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-node-critical - serviceAccountName: antrea-agent - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - volumes: - - configMap: - name: antrea-config-mkbgmf6ct6 - name: antrea-config - - hostPath: - path: /etc/cni/net.d - name: host-cni-conf - - hostPath: - path: /opt/cni/bin - name: host-cni-bin - - hostPath: - path: /proc - name: host-proc - - hostPath: - path: /var/run/netns - name: host-var-run-netns - - hostPath: - path: /var/run/antrea - type: DirectoryOrCreate - name: host-var-run-antrea - - hostPath: - path: /var/log/antrea - type: DirectoryOrCreate - name: host-var-log-antrea - - hostPath: - path: /lib/modules - name: host-lib-modules - - hostPath: - path: /run/xtables.lock - type: FileOrCreate - name: xtables-lock - updateStrategy: - type: RollingUpdate --- +# Source: antrea/templates/webhooks/mutating/crdmutator.yaml apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: + name: "crdmutator.antrea.io" labels: app: antrea - name: crdmutator.antrea.io webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /mutate/acnp - name: acnpmutator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusternetworkpolicies - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /mutate/anp - name: anpmutator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - networkpolicies - scope: Namespaced - sideEffects: None - timeoutSeconds: 5 + - name: "acnpmutator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/mutate/acnp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["clusternetworkpolicies"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "anpmutator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/mutate/anp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["networkpolicies"] + scope: "Namespaced" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 --- +# Source: antrea/templates/webhooks/validating/crdvalidator.yaml apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: + name: "crdvalidator.antrea.io" labels: app: antrea - name: crdvalidator.antrea.io webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/tier - name: tiervalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - - DELETE - resources: - - tiers - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/acnp - name: acnpvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusternetworkpolicies - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/anp - name: anpvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - networkpolicies - scope: Namespaced - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/clustergroup - name: clustergroupvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha3 - - v1alpha2 - operations: - - CREATE - - UPDATE - resources: - - clustergroups - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/externalippool - name: externalippoolvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - UPDATE - resources: - - externalippools - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/egress - name: egressvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - CREATE - - UPDATE - resources: - - egresses - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/ippool - name: ippoolvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - CREATE - - UPDATE - - DELETE - resources: - - ippools - scope: Cluster - sideEffects: None - timeoutSeconds: 5 + - name: "tiervalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/tier" + rules: + - operations: ["CREATE", "UPDATE", "DELETE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["tiers"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "acnpvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/acnp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["clusternetworkpolicies"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "anpvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/anp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["networkpolicies"] + scope: "Namespaced" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "clustergroupvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/clustergroup" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha3", "v1alpha2"] + resources: ["clustergroups"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "externalippoolvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/externalippool" + rules: + - operations: ["UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["externalippools"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "egressvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/egress" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["egresses"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "ippoolvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/ippool" + rules: + - operations: ["CREATE", "UPDATE", "DELETE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["ippools"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index c9c53a68803..17247b1db0a 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -1,2742 +1,39 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +--- +# Source: antrea/templates/agent/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount metadata: + name: antrea-agent + namespace: kube-system labels: app: antrea - name: antreaagentinfos.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: AntreaAgentInfo - plural: antreaagentinfos - shortNames: - - aai - singular: antreaagentinfo - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Health status of this Agent - jsonPath: .agentConditions[?(@.type=='AgentHealthy')].status - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: .agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime - name: Last Heartbeat - type: date - - description: Version of this Agent - jsonPath: .version - name: Version - priority: 1 - type: string - - description: Node on which this Agent is running - jsonPath: .nodeRef.name - name: Node - priority: 1 - type: string - - description: Number of local Pods managed by this Agent - jsonPath: .localPodNum - name: Num Pods - priority: 2 - type: integer - - description: Subnets used by this Agent for Pod IPAM - jsonPath: .nodeSubnets - name: Subnets - priority: 2 - type: string - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true --- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +# Source: antrea/templates/antctl/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount metadata: + name: antctl + namespace: kube-system labels: app: antrea - name: antreacontrollerinfos.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: AntreaControllerInfo - plural: antreacontrollerinfos - shortNames: - - aci - singular: antreacontrollerinfo - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Health status of the Controller - jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].status - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime - name: Last Heartbeat - type: date - - description: Version of the Controller - jsonPath: .version - name: Version - priority: 1 - type: string - - description: Number of Agents connected to the Controller - jsonPath: .connectedAgentNum - name: Connected Agents - priority: 1 - type: integer - - description: Node on which the Controller is running - jsonPath: .nodeRef.name - name: Node - priority: 1 - type: string - - description: Number of Network Policies computed by Controller - jsonPath: .networkPolicyControllerInfo.networkPolicyNum - name: Num Network Policies - priority: 2 - type: integer - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true --- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +# Source: antrea/templates/controller/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount metadata: + name: antrea-controller + namespace: kube-system labels: app: antrea - name: clustergroups.crd.antrea.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: antrea - namespace: kube-system - path: /convert/clustergroup - conversionReviewVersions: - - v1 - - v1beta1 - group: crd.antrea.io - names: - kind: ClusterGroup - plural: clustergroups - shortNames: - - cg - singular: clustergroup - scope: Cluster - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - childGroups: - items: - type: string - type: array - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - ipBlocks: - items: - properties: - cidr: - format: cidr - type: string - type: object - type: array - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceReference: - properties: - name: - type: string - namespace: - type: string - type: object - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - type: string - status: - type: string - type: - type: string - type: object - type: array - type: object - type: object - served: true - storage: false - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - properties: - childGroups: - items: - type: string - type: array - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlocks: - items: - properties: - cidr: - format: cidr - type: string - type: object - type: array - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceReference: - properties: - name: - type: string - namespace: - type: string - type: object - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - type: string - status: - type: string - type: - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} --- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +# Source: antrea/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap metadata: + name: antrea-config + namespace: kube-system labels: app: antrea - name: clusternetworkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ClusterNetworkPolicy - plural: clusternetworkpolicies - shortNames: - - acnp - singular: clusternetworkpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The Tier to which this ClusterNetworkPolicy belongs to. - jsonPath: .spec.tier - name: Tier - type: string - - description: The Priority of this ClusterNetworkPolicy relative to other policies. - format: float - jsonPath: .spec.priority - name: Priority - type: number - - description: The total number of Nodes that should realize the NetworkPolicy. - format: int32 - jsonPath: .status.desiredNodesRealized - name: Desired Nodes - type: number - - description: The number of Nodes that have realized the NetworkPolicy. - format: int32 - jsonPath: .status.currentNodesRealized - name: Current Nodes - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - egress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - enableLogging: - type: boolean - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - to: - items: - properties: - fqdn: - type: string - group: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - properties: - match: - type: string - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - toServices: - items: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: array - required: - - action - type: object - type: array - ingress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - enableLogging: - type: boolean - from: - items: - properties: - group: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - properties: - match: - enum: - - Self - type: string - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - required: - - action - type: object - type: array - priority: - format: float - maximum: 10000 - minimum: 1 - type: number - tier: - type: string - required: - - priority - type: object - status: - properties: - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - observedGeneration: - type: integer - phase: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: egresses.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Egress - plural: egresses - shortNames: - - eg - singular: egress - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Specifies the SNAT IP address for the selected workloads. - jsonPath: .spec.egressIP - name: EgressIP - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - anyOf: - - required: - - egressIP - - required: - - externalIPPool - properties: - appliedTo: - properties: - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - egressIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - externalIPPool: - type: string - required: - - appliedTo - type: object - status: - properties: - egressNode: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalentities.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalEntity - plural: externalentities - shortNames: - - ee - singular: externalentity - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - endpoints: - items: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - name: - type: string - type: object - type: array - externalNode: - type: string - ports: - items: - properties: - name: - type: string - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - served: false - storage: false ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalippools.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalIPPool - plural: externalippools - shortNames: - - eip - singular: externalippool - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - ipRanges: - items: - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - type: object - type: array - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - required: - - ipRanges - - nodeSelector - type: object - status: - properties: - usage: - properties: - total: - type: integer - used: - type: integer - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: ippools.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: IPPool - plural: ippools - shortNames: - - ipp - singular: ippool - scope: Cluster - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - ipRanges: - items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength - properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - vlan: - maximum: 4094 - minimum: 0 - type: integer - type: object - type: array - ipVersion: - type: integer - required: - - ipVersion - - ipRanges - type: object - status: - properties: - ipAddresses: - items: - properties: - ipAddress: - type: string - owner: - properties: - pod: - properties: - containerID: - type: string - ifName: - type: string - name: - type: string - namespace: - type: string - type: object - statefulSet: - properties: - index: - type: integer - name: - type: string - namespace: - type: string - type: object - type: object - phase: - type: string - type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: networkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: NetworkPolicy - plural: networkpolicies - shortNames: - - anp - singular: networkpolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The Tier to which this Antrea NetworkPolicy belongs to. - jsonPath: .spec.tier - name: Tier - type: string - - description: The Priority of this Antrea NetworkPolicy relative to other policies. - format: float - jsonPath: .spec.priority - name: Priority - type: number - - description: The total number of Nodes that should realize the NetworkPolicy. - format: int32 - jsonPath: .status.desiredNodesRealized - name: Desired Nodes - type: number - - description: The number of Nodes that have realized the NetworkPolicy. - format: int32 - jsonPath: .status.currentNodesRealized - name: Current Nodes - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - egress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - to: - items: - properties: - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - fqdn: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - toServices: - items: - properties: - name: - type: string - namespace: - type: string - required: - - name - type: object - type: array - required: - - action - type: object - type: array - ingress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - from: - items: - properties: - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - required: - - action - type: object - type: array - priority: - format: float - maximum: 10000 - minimum: 1 - type: number - tier: - type: string - required: - - priority - type: object - status: - properties: - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - observedGeneration: - type: integer - phase: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: tiers.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Tier - plural: tiers - shortNames: - - tr - singular: tier - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The Priority of this Tier relative to other Tiers. - jsonPath: .spec.priority - name: Priority - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - description: - type: string - priority: - maximum: 255 - minimum: 0 - type: integer - required: - - priority - type: object - type: object - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: traceflows.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Traceflow - plural: traceflows - shortNames: - - tf - singular: traceflow - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The phase of the Traceflow. - jsonPath: .status.phase - name: Phase - type: string - - description: The name of the source Pod. - jsonPath: .spec.source.pod - name: Source-Pod - priority: 10 - type: string - - description: The name of the destination Pod. - jsonPath: .spec.destination.pod - name: Destination-Pod - priority: 10 - type: string - - description: The IP address of the destination. - jsonPath: .spec.destination.ip - name: Destination-IP - priority: 10 - type: string - - description: Trace live traffic. - jsonPath: .spec.liveTraffic - name: Live-Traffic - priority: 10 - type: boolean - - description: Capture only the dropped packet. - jsonPath: .spec.droppedOnly - name: Dropped-Only - priority: 10 - type: boolean - - description: Timeout in seconds. - jsonPath: .spec.timeout - name: Timeout - priority: 10 - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - destination: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - namespace: - type: string - pod: - type: string - service: - type: string - type: object - droppedOnly: - type: boolean - liveTraffic: - type: boolean - packet: - properties: - ipHeader: - properties: - flags: - type: integer - protocol: - type: integer - srcIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - ttl: - type: integer - type: object - ipv6Header: - properties: - hopLimit: - type: integer - nextHeader: - type: integer - srcIP: - format: ipv6 - type: string - type: object - transportHeader: - properties: - icmp: - properties: - id: - type: integer - sequence: - type: integer - type: object - tcp: - properties: - dstPort: - type: integer - flags: - type: integer - srcPort: - type: integer - type: object - udp: - properties: - dstPort: - type: integer - srcPort: - type: integer - type: object - type: object - type: object - source: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - namespace: - type: string - pod: - type: string - type: object - timeout: - type: integer - type: object - status: - properties: - capturedPacket: - properties: - dstIP: - type: string - ipHeader: - properties: - flags: - type: integer - protocol: - type: integer - ttl: - type: integer - type: object - ipv6Header: - properties: - hopLimit: - type: integer - nextHeader: - type: integer - type: object - length: - type: integer - srcIP: - type: string - transportHeader: - properties: - icmp: - properties: - id: - type: integer - sequence: - type: integer - type: object - tcp: - properties: - dstPort: - type: integer - flags: - type: integer - srcPort: - type: integer - type: object - udp: - properties: - dstPort: - type: integer - srcPort: - type: integer - type: object - type: object - type: object - dataplaneTag: - type: integer - phase: - type: string - reason: - type: string - results: - items: - properties: - node: - type: string - observations: - items: - properties: - action: - type: string - component: - type: string - componentInfo: - type: string - dstMAC: - type: string - networkPolicy: - type: string - pod: - type: string - translatedDstIP: - type: string - translatedSrcIP: - type: string - ttl: - type: integer - tunnelDstIP: - type: string - type: object - type: array - role: - type: string - timestamp: - type: integer - type: object - type: array - startTime: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antctl - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antrea-agent - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antrea-controller - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-antrea-clustergroups-edit -rules: -- apiGroups: - - crd.antrea.io - resources: - - clustergroups - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-antrea-clustergroups-view -rules: -- apiGroups: - - crd.antrea.io - resources: - - clustergroups - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-antrea-policies-edit -rules: -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-antrea-policies-view -rules: -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-traceflows-edit -rules: -- apiGroups: - - crd.antrea.io - resources: - - traceflows - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-traceflows-view -rules: -- apiGroups: - - crd.antrea.io - resources: - - traceflows - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antctl -rules: -- apiGroups: - - controlplane.antrea.io - resources: - - networkpolicies - - appliedtogroups - - addressgroups - verbs: - - get - - list -- apiGroups: - - stats.antrea.io - resources: - - networkpolicystats - - antreaclusternetworkpolicystats - - antreanetworkpolicystats - verbs: - - get - - list -- apiGroups: - - system.antrea.io - resources: - - controllerinfos - - agentinfos - verbs: - - get -- apiGroups: - - system.antrea.io - resources: - - supportbundles - verbs: - - get - - post -- apiGroups: - - system.antrea.io - resources: - - supportbundles/download - verbs: - - get -- nonResourceURLs: - - /agentinfo - - /addressgroups - - /appliedtogroups - - /loglevel - - /networkpolicies - - /ovsflows - - /ovstracing - - /podinterfaces - - /featuregates - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-agent -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - pods/status - verbs: - - patch -- apiGroups: - - "" - resources: - - endpoints - - services - - namespaces - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - services/status - verbs: - - update -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - antreaagentinfos - verbs: - - get - - create - - update - - delete -- apiGroups: - - controlplane.antrea.io - resources: - - networkpolicies - - appliedtogroups - - addressgroups - verbs: - - get - - watch - - list -- apiGroups: - - controlplane.antrea.io - resources: - - egressgroups - verbs: - - get - - watch - - list -- apiGroups: - - controlplane.antrea.io - resources: - - nodestatssummaries - verbs: - - create -- apiGroups: - - controlplane.antrea.io - resources: - - networkpolicies/status - verbs: - - create - - get -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - "" - resourceNames: - - extension-apiserver-authentication - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - antrea-ca - resources: - - configmaps - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - traceflows - - traceflows/status - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - egresses - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - egresses/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - externalippools - - ippools - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - ippools/status - verbs: - - update -- apiGroups: - - k8s.cni.cncf.io - resources: - - network-attachment-definitions - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-cluster-identity-reader -rules: -- apiGroups: - - "" - resourceNames: - - antrea-cluster-identity - resources: - - configmaps - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-controller -rules: -- apiGroups: - - "" - resources: - - pods - - services - - namespaces - - configmaps - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - watch - - list - - patch -- apiGroups: - - "" - resources: - - services/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - watch - - list -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - update -- apiGroups: - - "" - resourceNames: - - extension-apiserver-authentication - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - antrea-ca - - antrea-cluster-identity - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create -- apiGroups: - - apiregistration.k8s.io - resourceNames: - - v1alpha1.stats.antrea.io - - v1beta1.system.antrea.io - - v1beta2.controlplane.antrea.io - resources: - - apiservices - verbs: - - get - - update -- apiGroups: - - apiregistration.k8s.io - resourceNames: - - v1beta1.networking.antrea.tanzu.vmware.com - - v1beta1.controlplane.antrea.tanzu.vmware.com - - v1alpha1.stats.antrea.tanzu.vmware.com - - v1beta1.system.antrea.tanzu.vmware.com - - v1beta2.controlplane.antrea.tanzu.vmware.com - resources: - - apiservices - verbs: - - delete -- apiGroups: - - admissionregistration.k8s.io - resourceNames: - - labelsmutator.antrea.io - - crdmutator.antrea.io - - crdvalidator.antrea.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - get - - update -- apiGroups: - - crd.antrea.io - resources: - - antreacontrollerinfos - verbs: - - get - - create - - update - - delete -- apiGroups: - - crd.antrea.io - resources: - - antreaagentinfos - verbs: - - list - - delete -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies/status - - networkpolicies/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - tiers - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - traceflows - - traceflows/status - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - externalentities - - clustergroups - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - clustergroups/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - egresses - verbs: - - get - - watch - - list - - update - - patch -- apiGroups: - - crd.antrea.io - resources: - - externalippools - - ippools - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - externalippools/status - - ippools/status - verbs: - - update -- apiGroups: - - apps - resources: - - statefulsets - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antctl - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antctl -subjects: -- kind: ServiceAccount - name: antctl - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antrea-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antrea-agent -subjects: -- kind: ServiceAccount - name: antrea-agent - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antrea-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antrea-controller -subjects: -- kind: ServiceAccount - name: antrea-controller - namespace: kube-system ---- -apiVersion: v1 data: antrea-agent.conf: | # FeatureGates is a map of feature names to bools that enable or disable experimental features. @@ -2790,19 +87,18 @@ data: # Name of the OpenVSwitch bridge antrea-agent will create and use. # Make sure it doesn't conflict with your existing OpenVSwitch bridges. - #ovsBridge: br-int + ovsBridge: "br-int" # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: # - system # - netdev # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run - # OVS in userspace mode (not fully supported yet). Userspace mode requires the tun device driver to - # be available. + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. #ovsDatapathType: system # Name of the interface antrea-agent will create and use for host <--> pod communication. # Make sure it doesn't conflict with your existing interfaces. - #hostGateway: antrea-gw0 + hostGateway: "antrea-gw0" # Determines how traffic is encapsulated. It has the following options: # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network @@ -2814,14 +110,14 @@ data: # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod # IPAM and connectivity to the primary CNI. # - trafficEncapMode: networkPolicyOnly + trafficEncapMode: "networkPolicyOnly" # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never # performs SNAT and this option will be ignored; for other modes it must be set to false. - #noSNAT: false + noSNAT: false # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, # this option will not take effect. Supported values: @@ -2830,7 +126,7 @@ data: # - gre # - stt # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). - #tunnelType: geneve + tunnelType: "geneve" # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. # It has the following options: @@ -2840,7 +136,7 @@ data: # the PSK value must be passed to Antrea Agent through an environment # variable: ANTREA_IPSEC_PSK. # - wireGuard: Enable WireGuard for tunnel traffic encryption. - #trafficEncryptionMode: none + trafficEncryptionMode: "none" # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are @@ -2849,35 +145,40 @@ data: # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. - #enableBridgingMode: false + enableBridgingMode: false # Default MTU to use for the host gateway interface and the network interface of each Pod. # If omitted, antrea-agent will discover the MTU of the Node's primary interface and # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). - #defaultMTU: 0 + defaultMTU: 0 # wireGuard specifies WireGuard related configurations. wireGuard: - # The port for WireGuard to receive traffic. - # port: 51820 + # The port for WireGuard to receive traffic. + port: 51820 egress: - # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. - # exceptCIDRs: [] + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + serviceCIDR: "" # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. # No default value for this field. - #serviceCIDRv6: + serviceCIDRv6: "" # The port for the antrea-agent APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-agent` container must be set to the same value. - #apiPort: 10350 + apiPort: 10350 # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - #enablePrometheusMetrics: true + enablePrometheusMetrics: true # Provide the IPFIX collector address as a string with format :[][:]. # HOST can either be the DNS name or the IP of the Flow Collector. For example, @@ -2888,50 +189,50 @@ data: # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and # "udp" protocols. "tls" is used for securing communication between flow exporter and # flow aggregator. - #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" # Provide flow poll interval as a duration string. This determines how often the # flow exporter dumps connections from the conntrack module. Flow poll interval # should be greater than or equal to 1s (one second). # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #flowPollInterval: "5s" + flowPollInterval: "5s" # Provide the active flow export timeout, which is the timeout after which a flow # record is sent to the collector for active flows. Thus, for flows with a continuous # stream of packets, a flow record will be exported to the collector once the elapsed # time since the last export event is equal to the value of this timeout. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #activeFlowExportTimeout: "30s" + activeFlowExportTimeout: "5s" # Provide the idle flow export timeout, which is the timeout after which a flow # record is sent to the collector for idle flows. A flow is considered idle if no # packet matching this flow has been observed since the last export event. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #idleFlowExportTimeout: "15s" + idleFlowExportTimeout: "15s" nodePortLocal: # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature # gate is also enabled (which is the default). - # enable: false + enable: false # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port # from that range will be assigned whenever a Pod's container defines a specific port to be exposed # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic # directed to that port will be forwarded to the Pod. - # portRange: 61000-62000 + portRange: "61000-62000" # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. - #kubeAPIServerOverride: "" + kubeAPIServerOverride: "" # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. - #tlsCipherSuites: + tlsCipherSuites: "" # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - #tlsMinVersion: + tlsMinVersion: "" # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. # If there are multiple IP addresses configured on the interface, the first one is used. The IP @@ -2940,11 +241,11 @@ data: # 1. transportInterface # 2. transportInterfaceCIDRs # 3. The Node IP - #transportInterface: + transportInterface: "" # The names of the interfaces on Nodes that are used to forward multicast traffic. # Defaults to transport interface if not set. - #multicastInterfaces: [] + multicastInterfaces: # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The @@ -2953,7 +254,7 @@ data: # 1. transportInterface # 2. transportInterfaceCIDRs # 3. The Node IP - #transportInterfaceCIDRs: [,] + transportInterfaceCIDRs: # Option antreaProxy contains AntreaProxy related configuration options. antreaProxy: @@ -2962,22 +263,22 @@ data: # feature to be enabled. # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access # apiserver directly. - #proxyAll: false + proxyAll: false # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. # Note that the option is only valid when proxyAll is true. - #nodePortAddresses: [] + nodePortAddresses: # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name # with Namespace (e.g. kube-system/kube-dns) - #skipServices: [] + skipServices: # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. - #proxyLoadBalancerIPs: true + proxyLoadBalancerIPs: true antrea-cni.conflist: | { "cniVersion":"0.3.0", @@ -2988,11 +289,13 @@ data: "ipam": { "type": "host-local" } - }, + } + , { "type": "portmap", "capabilities": {"portMappings": true} - }, + } + , { "type": "bandwidth", "capabilities": {"bandwidth": true} @@ -3030,661 +333,3319 @@ data: # The port for the antrea-controller APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-controller` container must be set to the same value. - #apiPort: 10349 + apiPort: 10349 # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - #enablePrometheusMetrics: true + enablePrometheusMetrics: true # Indicates whether to use auto-generated self-signed TLS certificate. - # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: # ca.crt: # tls.crt: # tls.key: - # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the - # antrea-controller container. - #selfSignedCert: true + selfSignedCert: true # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. - #tlsCipherSuites: + tlsCipherSuites: "" # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - #tlsMinVersion: + tlsMinVersion: "" nodeIPAM: - # Enable the integrated Node IPAM controller within the Antrea controller. - # enableNodeIPAM: false - - # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. - # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. - # Value ignored when enableNodeIPAM is false. - # clusterCIDRs: [] - - # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. - # Value ignored when enableNodeIPAM is false. - # serviceCIDR: - # serviceCIDRv6: - - # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. - # nodeCIDRMaskSizeIPv4: 24 - - # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. - # nodeCIDRMaskSizeIPv6: 64 -kind: ConfigMap + # Enable the integrated Node IPAM controller within the Antrea controller. + enableNodeIPAM: false + # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. + # Value ignored when enableNodeIPAM is false. + clusterCIDRs: + # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + serviceCIDR: "" + serviceCIDRv6: "" + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + nodeCIDRMaskSizeIPv4: 24 + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + nodeCIDRMaskSizeIPv6: 64 +--- +# Source: antrea/templates/crds/antreaagentinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: antreaagentinfos.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai +--- +# Source: antrea/templates/crds/antreacontrollerinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: antreacontrollerinfos.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci +--- +# Source: antrea/templates/crds/clustergroup.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clustergroups.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + - name: v1alpha3 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: "antrea" + namespace: "kube-system" + path: "/convert/clustergroup" + scope: Cluster + names: + plural: clustergroups + singular: clustergroup + kind: ClusterGroup + shortNames: + - cg +--- +# Source: antrea/templates/crds/clusternetworkpolicy.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusternetworkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this ClusterNetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + fqdn: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + toServices: + type: array + items: + type: object + required: + - name + - namespace + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + scope: Cluster + names: + plural: clusternetworkpolicies + singular: clusternetworkpolicy + kind: ClusterNetworkPolicy + shortNames: + - acnp +--- +# Source: antrea/templates/crds/egress.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: egresses.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - appliedTo + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + egressIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + externalIPPool: + type: string + status: + type: object + properties: + egressNode: + type: string + additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + subresources: + status: {} + scope: Cluster + names: + plural: egresses + singular: egress + kind: Egress + shortNames: + - eg +--- +# Source: antrea/templates/crds/externalentity.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalentities.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + endpoints: + type: array + items: + type: object + properties: + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + name: + type: string + externalNode: + type: string + - name: v1alpha1 + served: false + storage: false + schema: + openAPIV3Schema: + type: object + scope: Namespaced + names: + plural: externalentities + singular: externalentity + kind: ExternalEntity + shortNames: + - ee +--- +# Source: antrea/templates/crds/externalippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + scope: Cluster + names: + plural: externalippools + singular: externalippool + kind: ExternalIPPool + shortNames: + - eip +--- +# Source: antrea/templates/crds/ippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + required: + - ipVersion + - ipRanges + type: object + properties: + ipVersion: + type: integer + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + vlan: + type: integer + minimum: 0 + maximum: 4094 + type: object + type: array + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + name: + type: string + namespace: + type: string + containerID: + type: string + ifName: + type: string + type: object + statefulSet: + properties: + name: + type: string + namespace: + type: string + index: + type: integer + type: object + type: object + phase: + type: string + type: object + type: array + type: object + subresources: + status: {} + scope: Cluster + names: + plural: ippools + singular: ippool + kind: IPPool + shortNames: + - ipp +--- +# Source: antrea/templates/crds/networkpolicy.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this Antrea NetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + fqdn: + type: string + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + toServices: + type: array + items: + type: object + required: + - name + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + scope: Namespaced + names: + plural: networkpolicies + singular: networkpolicy + kind: NetworkPolicy + shortNames: + - anp +--- +# Source: antrea/templates/crds/tier.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tiers.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Priority + type: integer + description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + required: + - priority + type: object + properties: + priority: + type: integer + minimum: 0 + maximum: 255 + description: + type: string + scope: Cluster + names: + plural: tiers + singular: tier + kind: Tier + shortNames: + - tr +--- +# Source: antrea/templates/crds/traceflow.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: traceflows.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.phase + description: The phase of the Traceflow. + name: Phase + type: string + - jsonPath: .spec.source.pod + description: The name of the source Pod. + name: Source-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.pod + description: The name of the destination Pod. + name: Destination-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.ip + description: The IP address of the destination. + name: Destination-IP + type: string + priority: 10 + - jsonPath: .spec.liveTraffic + description: Trace live traffic. + name: Live-Traffic + type: boolean + priority: 10 + - jsonPath: .spec.droppedOnly + description: Capture only the dropped packet. + name: Dropped-Only + type: boolean + priority: 10 + - jsonPath: .spec.timeout + description: Timeout in seconds. + name: Timeout + type: integer + priority: 10 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + properties: + source: + type: object + properties: + pod: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + destination: + type: object + properties: + pod: + type: string + service: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + packet: + type: object + properties: + ipHeader: + type: object + properties: + srcIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + protocol: + type: integer + ttl: + type: integer + flags: + type: integer + ipv6Header: + type: object + properties: + srcIP: + type: string + format: ipv6 + nextHeader: + type: integer + hopLimit: + type: integer + transportHeader: + type: object + properties: + icmp: + type: object + properties: + id: + type: integer + sequence: + type: integer + udp: + type: object + properties: + srcPort: + type: integer + dstPort: + type: integer + tcp: + type: object + properties: + srcPort: + type: integer + dstPort: + type: integer + flags: + type: integer + liveTraffic: + type: boolean + droppedOnly: + type: boolean + timeout: + type: integer + status: + type: object + properties: + reason: + type: string + dataplaneTag: + type: integer + phase: + type: string + startTime: + type: string + results: + type: array + items: + type: object + properties: + node: + type: string + role: + type: string + timestamp: + type: integer + observations: + type: array + items: + type: object + properties: + component: + type: string + componentInfo: + type: string + action: + type: string + pod: + type: string + dstMAC: + type: string + networkPolicy: + type: string + ttl: + type: integer + translatedSrcIP: + type: string + translatedDstIP: + type: string + tunnelDstIP: + type: string + capturedPacket: + properties: + srcIP: + type: string + dstIP: + type: string + length: + type: integer + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + transportHeader: + properties: + tcp: + properties: + dstPort: + type: integer + srcPort: + type: integer + flags: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + type: object + type: object + subresources: + status: {} + scope: Cluster + names: + plural: traceflows + singular: traceflow + kind: Traceflow + shortNames: + - tf +--- +# Source: antrea/templates/agent/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-agent + labels: + app: antrea +rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - pods/status + verbs: + - patch + - apiGroups: + - "" + resources: + - endpoints + - services + - namespaces + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - services/status + verbs: + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete + - apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list + - apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list + - apiGroups: + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create + - apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + # This is the content of built-in role kube-system/extension-apiserver-authentication-reader. + # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will + # have permission issue after bumping up apiserver library to a version that supports dynamic authentication. + # See https://github.com/kubernetes/kubernetes/pull/85375 + # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on + # the extension-apiserver-authentication role. + - apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - antrea-ca + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - egresses/status + verbs: + - update + - apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - ippools/status + verbs: + - update + - apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - get + - list + - watch +--- +# Source: antrea/templates/antctl/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antctl + labels: + app: antrea +rules: + - apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list + - apiGroups: + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list + - apiGroups: + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get + - apiGroups: + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post + - apiGroups: + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get + - nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + - /featuregates + verbs: + - get +--- +# Source: antrea/templates/cluster-identity-reader/clusterrolebinding.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-cluster-identity-reader + labels: + app: antrea +rules: + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - antrea-cluster-identity + verbs: + - get +--- +# Source: antrea/templates/controller/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-controller + labels: + app: antrea +rules: + - apiGroups: + - "" + resources: + - pods + - services + - namespaces + - configmaps + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch + - apiGroups: + - "" + resources: + - services/status + verbs: + - update + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update + # This is the content of built-in role kube-system/extension-apiserver-authentication-reader. + # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-controller) will + # have permission issue after bumping up apiserver library to a version that supports dynamic authentication. + # See https://github.com/kubernetes/kubernetes/pull/85375 + # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on + # the extension-apiserver-authentication role. + - apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - antrea-ca + - antrea-cluster-identity + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + resourceNames: + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + verbs: + - get + - update + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + resourceNames: + - v1beta1.networking.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + verbs: + - delete + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + resourceNames: + # always give permissions for labelsmutator.antrea.io, even when the + # feature is disabled, to avoid errors in antrea-controller when updating + # the CA cert. + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + verbs: + - get + - update + - apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete + - apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete + - apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update + - apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update + - apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - update + - patch + - apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - externalippools/status + - ippools/status + verbs: + - update + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: + name: aggregate-antrea-policies-edit labels: app: antrea - name: antrea-config-mkbgmf6ct6 - namespace: kube-system + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clusternetworkpolicies", "networkpolicies"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] --- -apiVersion: v1 -kind: Service +# Source: antrea/templates/crds-rbac/clusterroles.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: aggregate-antrea-policies-view + labels: + app: antrea + # Add these permissions to the "view" default role. + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clusternetworkpolicies", "networkpolicies"] + verbs: ["get", "list", "watch"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-traceflows-edit + labels: + app: antrea + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["traceflows"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 metadata: + name: aggregate-traceflows-view + labels: + app: antrea + # Add these permissions to the "view" default role. + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["traceflows"] + verbs: ["get", "list", "watch"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-antrea-clustergroups-edit + labels: + app: antrea + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clustergroups"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: aggregate-antrea-clustergroups-view + labels: + app: antrea + # Add these permissions to the "view" default role. + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clustergroups"] + verbs: ["get", "list", "watch"] +--- +# Source: antrea/templates/agent/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-agent + labels: + app: antrea +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: + - kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +# Source: antrea/templates/antctl/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: + - kind: ServiceAccount + name: antctl + namespace: kube-system +--- +# Source: antrea/templates/controller/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-controller labels: app: antrea +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: + - kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +# Source: antrea/templates/controller/service.yaml +apiVersion: v1 +kind: Service +metadata: name: antrea namespace: kube-system + labels: + app: antrea spec: ports: - - port: 443 - protocol: TCP - targetPort: api + - port: 443 + protocol: TCP + targetPort: api selector: app: antrea component: antrea-controller --- +# Source: antrea/templates/agent/daemonset.yaml apiVersion: apps/v1 -kind: Deployment +kind: DaemonSet metadata: + name: antrea-agent + namespace: kube-system labels: app: antrea - component: antrea-controller + component: antrea-agent +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + updateStrategy: + type: RollingUpdate + template: + metadata: + annotations: + # Starting with v1.21, Kubernetes supports default container annotation. + # Using "kubectl logs/exec/attach/cp" doesn't have to specify "-c antrea-agent" when troubleshooting. + kubectl.kubernetes.io/default-container: antrea-agent + # Automatically restart Pods with a RollingUpdate if the ConfigMap changes + # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments + checksum/config: cb46b22ec258614e4df2cc06aaaba03d2a3ecd008de23288dbdce9cd3cc68647 + labels: + app: antrea + component: antrea-agent + spec: + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + priorityClassName: system-node-critical + nodeSelector: + kubernetes.io/os: linux + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + serviceAccountName: antrea-agent + initContainers: + - name: install-cni + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 100m + command: ["install_cni_chaining"] + securityContext: + capabilities: + add: + # SYS_MODULE is required to load the OVS kernel module. + - SYS_MODULE + env: + # SKIP_CNI_BINARIES takes in values as a comma separated list of + # binaries that need to be skipped for installation, e.g. "portmap, bandwidth". + - name: SKIP_CNI_BINARIES + value: "" + volumeMounts: + - name: antrea-config + mountPath: /etc/antrea/antrea-cni.conflist + subPath: antrea-cni.conflist + readOnly: true + - name: host-cni-conf + mountPath: /host/etc/cni/net.d + - name: host-cni-bin + mountPath: /host/opt/cni/bin + # For loading the OVS kernel module. + - name: host-lib-modules + mountPath: /lib/modules + readOnly: true + # For changing the default permissions of the run directory. + - name: host-var-run-antrea + mountPath: /var/run/antrea + containers: + - name: antrea-agent + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + command: ["antrea-agent"] + # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).- + args: + - "--config=/etc/antrea/antrea-agent.conf" + - "--logtostderr=false" + - "--log_dir=/var/log/antrea" + - "--alsologtostderr" + - "--log_file_max_size=100" + - "--log_file_max_num=4" + env: + # Provide pod and node information for clusterinformation CRD. + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: "ANTREA_CLOUD_EKS" + value: "true" + resources: + requests: + cpu: 200m + ports: + - containerPort: 10350 + name: api + protocol: TCP + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + readinessProbe: + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + # In large-scale clusters, it may take up to 40~50 seconds for the antrea-agent to reconnect to the antrea + # Service after the antrea-controller restarts. The antrea-agent shouldn't be reported as NotReady in this + # scenario, otherwise the DaemonSet controller would restart all agents at once, as opposed to performing a + # rolling update. Set failureThreshold to 8 so it can tolerate 70s of disconnection. + failureThreshold: 8 + securityContext: + # antrea-agent needs to perform sysctl configuration. + privileged: true + volumeMounts: + - name: antrea-config + mountPath: /etc/antrea/antrea-agent.conf + subPath: antrea-agent.conf + readOnly: true + - name: host-var-run-antrea + mountPath: /var/run/antrea + - name: host-var-run-antrea + mountPath: /var/run/openvswitch + subPath: openvswitch + # host-local IPAM stores allocated IP addresses as files in /var/lib/cni/networks/$NETWORK_NAME. + # Mount a sub-directory of host-var-run-antrea to it for persistence of IP allocation. + - name: host-var-run-antrea + mountPath: /var/lib/cni + subPath: cni + # We need to mount both the /proc directory and the /var/run/netns directory so that + # antrea-agent can open the network namespace path when setting up Pod + # networking. Different container runtimes may use /proc or /var/run/netns when invoking + # the CNI commands. Docker uses /proc and containerd uses /var/run/netns. + - name: host-var-log-antrea + mountPath: /var/log/antrea + - name: host-proc + mountPath: /host/proc + readOnly: true + - name: host-var-run-netns + mountPath: /host/var/run/netns + readOnly: true + # When a container is created, a mount point for the network namespace is added under + # /var/run/netns on the host, which needs to be propagated to the antrea-agent container. + mountPropagation: HostToContainer + - name: xtables-lock + mountPath: /run/xtables.lock + - name: antrea-ovs + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 200m + command: ["start_ovs"] + args: + - "--log_file_max_size=100" + - "--log_file_max_num=4" + securityContext: + # capabilities required by OVS daemons + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + livenessProbe: + exec: + # docker CRI doesn't honor timeoutSeconds, add "timeout" to the command as a workaround. + # https://github.com/kubernetes/kubernetes/issues/51901 + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + initialDelaySeconds: 5 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 5 + volumeMounts: + - name: host-var-run-antrea + mountPath: /var/run/openvswitch + subPath: openvswitch + - name: host-var-log-antrea + mountPath: /var/log/openvswitch + subPath: openvswitch + volumes: + - name: antrea-config + configMap: + name: antrea-config + - name: host-cni-conf + hostPath: + path: /etc/cni/net.d + - name: host-cni-bin + hostPath: + path: /opt/cni/bin + - name: host-proc + hostPath: + path: /proc + - name: host-var-run-netns + hostPath: + path: /var/run/netns + - name: host-var-run-antrea + hostPath: + path: /var/run/antrea + # we use subPath to create run subdirectories for different component (e.g. OVS) and + # subPath requires the base volume to exist + type: DirectoryOrCreate + - name: host-var-log-antrea + hostPath: + path: /var/log/antrea + # we use subPath to create logging subdirectories for different component (e.g. OVS) + type: DirectoryOrCreate + - name: host-lib-modules + hostPath: + path: /lib/modules + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate +--- +# Source: antrea/templates/controller/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: name: antrea-controller namespace: kube-system + labels: + app: antrea + component: antrea-controller spec: - replicas: 1 + strategy: + # Ensure the existing Pod is stopped before the new one is created. + type: Recreate selector: matchLabels: app: antrea component: antrea-controller - strategy: - type: Recreate + replicas: 1 template: metadata: + annotations: + # Automatically restart Pod if the ConfigMap changes + # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments + checksum/config: cb46b22ec258614e4df2cc06aaaba03d2a3ecd008de23288dbdce9cd3cc68647 labels: app: antrea component: antrea-controller spec: - containers: - - args: - - --config - - /etc/antrea/antrea-controller.conf - - --logtostderr=false - - --log_dir=/var/log/antrea - - --alsologtostderr - - --log_file_max_size=100 - - --log_file_max_num=4 - - --v=0 - command: - - antrea-controller - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: SERVICEACCOUNT_NAME - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ANTREA_CONFIG_MAP_NAME - value: antrea-config-mkbgmf6ct6 - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 5 - httpGet: - host: localhost - path: /livez - port: api - scheme: HTTPS - periodSeconds: 10 - timeoutSeconds: 5 - name: antrea-controller - ports: - - containerPort: 10349 - name: api - protocol: TCP - readinessProbe: - failureThreshold: 5 - httpGet: - host: localhost - path: /readyz - port: api - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - requests: - cpu: 200m - volumeMounts: - - mountPath: /etc/antrea/antrea-controller.conf - name: antrea-config - readOnly: true - subPath: antrea-controller.conf - - mountPath: /var/run/antrea/antrea-controller-tls - name: antrea-controller-tls - - mountPath: /var/log/antrea - name: host-var-log-antrea - hostNetwork: true nodeSelector: kubernetes.io/os: linux + hostNetwork: true priorityClassName: system-cluster-critical - serviceAccountName: antrea-controller tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + serviceAccountName: antrea-controller + containers: + - name: antrea-controller + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 200m + command: ["antrea-controller"] + # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work). + args: + - "--config=/etc/antrea/antrea-controller.conf" + - "--logtostderr=false" + - "--log_dir=/var/log/antrea" + - "--alsologtostderr" + - "--log_file_max_size=100" + - "--log_file_max_num=4" + env: + # Provide pod and node information for clusterinformation CRD. + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # Provide ServiceAccount name for validation webhook. + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ANTREA_CONFIG_MAP_NAME + value: antrea-config + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + livenessProbe: + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + volumeMounts: + - name: antrea-config + mountPath: /etc/antrea/antrea-controller.conf + subPath: antrea-controller.conf + readOnly: true + - name: antrea-controller-tls + mountPath: /var/run/antrea/antrea-controller-tls + - name: host-var-log-antrea + mountPath: /var/log/antrea volumes: - - configMap: - name: antrea-config-mkbgmf6ct6 - name: antrea-config - - name: antrea-controller-tls - secret: - defaultMode: 256 - optional: true - secretName: antrea-controller-tls - - hostPath: - path: /var/log/antrea - type: DirectoryOrCreate - name: host-var-log-antrea + - name: antrea-config + configMap: + name: antrea-config + # Make it optional as we only read it when selfSignedCert=false. + - name: antrea-controller-tls + secret: + secretName: antrea-controller-tls + defaultMode: 0400 + optional: true + - name: host-var-log-antrea + hostPath: + path: /var/log/antrea + type: DirectoryOrCreate --- +# Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: + name: v1beta2.controlplane.antrea.io labels: app: antrea - name: v1alpha1.stats.antrea.io spec: - group: stats.antrea.io + group: controlplane.antrea.io groupPriorityMinimum: 100 + version: v1beta2 + versionPriority: 100 service: name: antrea namespace: kube-system - version: v1alpha1 - versionPriority: 100 --- +# Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: + name: v1beta1.system.antrea.io labels: app: antrea - name: v1beta1.system.antrea.io spec: group: system.antrea.io groupPriorityMinimum: 100 + version: v1beta1 + versionPriority: 100 service: name: antrea namespace: kube-system - version: v1beta1 - versionPriority: 100 --- +# Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: + name: v1alpha1.stats.antrea.io labels: app: antrea - name: v1beta2.controlplane.antrea.io spec: - group: controlplane.antrea.io + group: stats.antrea.io groupPriorityMinimum: 100 + version: v1alpha1 + versionPriority: 100 service: name: antrea namespace: kube-system - version: v1beta2 - versionPriority: 100 ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - app: antrea - component: antrea-agent - name: antrea-agent - namespace: kube-system -spec: - selector: - matchLabels: - app: antrea - component: antrea-agent - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: antrea-agent - labels: - app: antrea - component: antrea-agent - spec: - containers: - - args: - - --config - - /etc/antrea/antrea-agent.conf - - --logtostderr=false - - --log_dir=/var/log/antrea - - --alsologtostderr - - --log_file_max_size=100 - - --log_file_max_num=4 - - --v=0 - command: - - antrea-agent - env: - - name: ANTREA_CLOUD_EKS - value: "true" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /bin/sh - - -c - - container_liveness_probe agent - failureThreshold: 5 - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - name: antrea-agent - ports: - - containerPort: 10350 - name: api - protocol: TCP - readinessProbe: - failureThreshold: 8 - httpGet: - host: localhost - path: /readyz - port: api - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - requests: - cpu: 200m - securityContext: - privileged: true - volumeMounts: - - mountPath: /etc/antrea/antrea-agent.conf - name: antrea-config - readOnly: true - subPath: antrea-agent.conf - - mountPath: /var/run/antrea - name: host-var-run-antrea - - mountPath: /var/run/openvswitch - name: host-var-run-antrea - subPath: openvswitch - - mountPath: /var/lib/cni - name: host-var-run-antrea - subPath: cni - - mountPath: /var/log/antrea - name: host-var-log-antrea - - mountPath: /host/proc - name: host-proc - readOnly: true - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: host-var-run-netns - readOnly: true - - mountPath: /run/xtables.lock - name: xtables-lock - - args: - - --log_file_max_size=100 - - --log_file_max_num=4 - command: - - start_ovs - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /bin/sh - - -c - - timeout 10 container_liveness_probe ovs - failureThreshold: 5 - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 10 - name: antrea-ovs - resources: - requests: - cpu: 200m - securityContext: - capabilities: - add: - - SYS_NICE - - NET_ADMIN - - SYS_ADMIN - - IPC_LOCK - volumeMounts: - - mountPath: /var/run/openvswitch - name: host-var-run-antrea - subPath: openvswitch - - mountPath: /var/log/openvswitch - name: host-var-log-antrea - subPath: openvswitch - dnsPolicy: ClusterFirstWithHostNet - hostNetwork: true - initContainers: - - command: - - install_cni_chaining - env: - - name: SKIP_CNI_BINARIES - value: "" - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - name: install-cni - resources: - requests: - cpu: 100m - securityContext: - capabilities: - add: - - SYS_MODULE - volumeMounts: - - mountPath: /etc/antrea/antrea-cni.conflist - name: antrea-config - readOnly: true - subPath: antrea-cni.conflist - - mountPath: /host/etc/cni/net.d - name: host-cni-conf - - mountPath: /host/opt/cni/bin - name: host-cni-bin - - mountPath: /lib/modules - name: host-lib-modules - readOnly: true - - mountPath: /var/run/antrea - name: host-var-run-antrea - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-node-critical - serviceAccountName: antrea-agent - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - volumes: - - configMap: - name: antrea-config-mkbgmf6ct6 - name: antrea-config - - hostPath: - path: /etc/cni/net.d - name: host-cni-conf - - hostPath: - path: /opt/cni/bin - name: host-cni-bin - - hostPath: - path: /proc - name: host-proc - - hostPath: - path: /var/run/netns - name: host-var-run-netns - - hostPath: - path: /var/run/antrea - type: DirectoryOrCreate - name: host-var-run-antrea - - hostPath: - path: /var/log/antrea - type: DirectoryOrCreate - name: host-var-log-antrea - - hostPath: - path: /lib/modules - name: host-lib-modules - - hostPath: - path: /run/xtables.lock - type: FileOrCreate - name: xtables-lock - updateStrategy: - type: RollingUpdate --- +# Source: antrea/templates/webhooks/mutating/crdmutator.yaml apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: + name: "crdmutator.antrea.io" labels: app: antrea - name: crdmutator.antrea.io webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /mutate/acnp - name: acnpmutator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusternetworkpolicies - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /mutate/anp - name: anpmutator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - networkpolicies - scope: Namespaced - sideEffects: None - timeoutSeconds: 5 + - name: "acnpmutator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/mutate/acnp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["clusternetworkpolicies"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "anpmutator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/mutate/anp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["networkpolicies"] + scope: "Namespaced" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 --- +# Source: antrea/templates/webhooks/validating/crdvalidator.yaml apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: + name: "crdvalidator.antrea.io" labels: app: antrea - name: crdvalidator.antrea.io webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/tier - name: tiervalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - - DELETE - resources: - - tiers - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/acnp - name: acnpvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusternetworkpolicies - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/anp - name: anpvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - networkpolicies - scope: Namespaced - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/clustergroup - name: clustergroupvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha3 - - v1alpha2 - operations: - - CREATE - - UPDATE - resources: - - clustergroups - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/externalippool - name: externalippoolvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - UPDATE - resources: - - externalippools - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/egress - name: egressvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - CREATE - - UPDATE - resources: - - egresses - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/ippool - name: ippoolvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - CREATE - - UPDATE - - DELETE - resources: - - ippools - scope: Cluster - sideEffects: None - timeoutSeconds: 5 + - name: "tiervalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/tier" + rules: + - operations: ["CREATE", "UPDATE", "DELETE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["tiers"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "acnpvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/acnp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["clusternetworkpolicies"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "anpvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/anp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["networkpolicies"] + scope: "Namespaced" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "clustergroupvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/clustergroup" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha3", "v1alpha2"] + resources: ["clustergroups"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "externalippoolvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/externalippool" + rules: + - operations: ["UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["externalippools"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "egressvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/egress" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["egresses"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "ippoolvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/ippool" + rules: + - operations: ["CREATE", "UPDATE", "DELETE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["ippools"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index 74e3af5e291..07b09802c4c 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -1,2742 +1,39 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +--- +# Source: antrea/templates/agent/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount metadata: + name: antrea-agent + namespace: kube-system labels: app: antrea - name: antreaagentinfos.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: AntreaAgentInfo - plural: antreaagentinfos - shortNames: - - aai - singular: antreaagentinfo - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Health status of this Agent - jsonPath: .agentConditions[?(@.type=='AgentHealthy')].status - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: .agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime - name: Last Heartbeat - type: date - - description: Version of this Agent - jsonPath: .version - name: Version - priority: 1 - type: string - - description: Node on which this Agent is running - jsonPath: .nodeRef.name - name: Node - priority: 1 - type: string - - description: Number of local Pods managed by this Agent - jsonPath: .localPodNum - name: Num Pods - priority: 2 - type: integer - - description: Subnets used by this Agent for Pod IPAM - jsonPath: .nodeSubnets - name: Subnets - priority: 2 - type: string - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true --- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +# Source: antrea/templates/antctl/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount metadata: + name: antctl + namespace: kube-system labels: app: antrea - name: antreacontrollerinfos.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: AntreaControllerInfo - plural: antreacontrollerinfos - shortNames: - - aci - singular: antreacontrollerinfo - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Health status of the Controller - jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].status - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime - name: Last Heartbeat - type: date - - description: Version of the Controller - jsonPath: .version - name: Version - priority: 1 - type: string - - description: Number of Agents connected to the Controller - jsonPath: .connectedAgentNum - name: Connected Agents - priority: 1 - type: integer - - description: Node on which the Controller is running - jsonPath: .nodeRef.name - name: Node - priority: 1 - type: string - - description: Number of Network Policies computed by Controller - jsonPath: .networkPolicyControllerInfo.networkPolicyNum - name: Num Network Policies - priority: 2 - type: integer - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true --- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +# Source: antrea/templates/controller/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount metadata: + name: antrea-controller + namespace: kube-system labels: app: antrea - name: clustergroups.crd.antrea.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: antrea - namespace: kube-system - path: /convert/clustergroup - conversionReviewVersions: - - v1 - - v1beta1 - group: crd.antrea.io - names: - kind: ClusterGroup - plural: clustergroups - shortNames: - - cg - singular: clustergroup - scope: Cluster - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - childGroups: - items: - type: string - type: array - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - ipBlocks: - items: - properties: - cidr: - format: cidr - type: string - type: object - type: array - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceReference: - properties: - name: - type: string - namespace: - type: string - type: object - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - type: string - status: - type: string - type: - type: string - type: object - type: array - type: object - type: object - served: true - storage: false - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - properties: - childGroups: - items: - type: string - type: array - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlocks: - items: - properties: - cidr: - format: cidr - type: string - type: object - type: array - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceReference: - properties: - name: - type: string - namespace: - type: string - type: object - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - type: string - status: - type: string - type: - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} --- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +# Source: antrea/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap metadata: + name: antrea-config + namespace: kube-system labels: app: antrea - name: clusternetworkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ClusterNetworkPolicy - plural: clusternetworkpolicies - shortNames: - - acnp - singular: clusternetworkpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The Tier to which this ClusterNetworkPolicy belongs to. - jsonPath: .spec.tier - name: Tier - type: string - - description: The Priority of this ClusterNetworkPolicy relative to other policies. - format: float - jsonPath: .spec.priority - name: Priority - type: number - - description: The total number of Nodes that should realize the NetworkPolicy. - format: int32 - jsonPath: .status.desiredNodesRealized - name: Desired Nodes - type: number - - description: The number of Nodes that have realized the NetworkPolicy. - format: int32 - jsonPath: .status.currentNodesRealized - name: Current Nodes - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - egress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - enableLogging: - type: boolean - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - to: - items: - properties: - fqdn: - type: string - group: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - properties: - match: - type: string - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - toServices: - items: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: array - required: - - action - type: object - type: array - ingress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - enableLogging: - type: boolean - from: - items: - properties: - group: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - properties: - match: - enum: - - Self - type: string - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - required: - - action - type: object - type: array - priority: - format: float - maximum: 10000 - minimum: 1 - type: number - tier: - type: string - required: - - priority - type: object - status: - properties: - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - observedGeneration: - type: integer - phase: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: egresses.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Egress - plural: egresses - shortNames: - - eg - singular: egress - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Specifies the SNAT IP address for the selected workloads. - jsonPath: .spec.egressIP - name: EgressIP - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - anyOf: - - required: - - egressIP - - required: - - externalIPPool - properties: - appliedTo: - properties: - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - egressIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - externalIPPool: - type: string - required: - - appliedTo - type: object - status: - properties: - egressNode: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalentities.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalEntity - plural: externalentities - shortNames: - - ee - singular: externalentity - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - endpoints: - items: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - name: - type: string - type: object - type: array - externalNode: - type: string - ports: - items: - properties: - name: - type: string - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - served: false - storage: false ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalippools.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalIPPool - plural: externalippools - shortNames: - - eip - singular: externalippool - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - ipRanges: - items: - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - type: object - type: array - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - required: - - ipRanges - - nodeSelector - type: object - status: - properties: - usage: - properties: - total: - type: integer - used: - type: integer - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: ippools.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: IPPool - plural: ippools - shortNames: - - ipp - singular: ippool - scope: Cluster - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - ipRanges: - items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength - properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - vlan: - maximum: 4094 - minimum: 0 - type: integer - type: object - type: array - ipVersion: - type: integer - required: - - ipVersion - - ipRanges - type: object - status: - properties: - ipAddresses: - items: - properties: - ipAddress: - type: string - owner: - properties: - pod: - properties: - containerID: - type: string - ifName: - type: string - name: - type: string - namespace: - type: string - type: object - statefulSet: - properties: - index: - type: integer - name: - type: string - namespace: - type: string - type: object - type: object - phase: - type: string - type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: networkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: NetworkPolicy - plural: networkpolicies - shortNames: - - anp - singular: networkpolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The Tier to which this Antrea NetworkPolicy belongs to. - jsonPath: .spec.tier - name: Tier - type: string - - description: The Priority of this Antrea NetworkPolicy relative to other policies. - format: float - jsonPath: .spec.priority - name: Priority - type: number - - description: The total number of Nodes that should realize the NetworkPolicy. - format: int32 - jsonPath: .status.desiredNodesRealized - name: Desired Nodes - type: number - - description: The number of Nodes that have realized the NetworkPolicy. - format: int32 - jsonPath: .status.currentNodesRealized - name: Current Nodes - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - egress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - to: - items: - properties: - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - fqdn: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - toServices: - items: - properties: - name: - type: string - namespace: - type: string - required: - - name - type: object - type: array - required: - - action - type: object - type: array - ingress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - from: - items: - properties: - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - required: - - action - type: object - type: array - priority: - format: float - maximum: 10000 - minimum: 1 - type: number - tier: - type: string - required: - - priority - type: object - status: - properties: - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - observedGeneration: - type: integer - phase: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: tiers.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Tier - plural: tiers - shortNames: - - tr - singular: tier - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The Priority of this Tier relative to other Tiers. - jsonPath: .spec.priority - name: Priority - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - description: - type: string - priority: - maximum: 255 - minimum: 0 - type: integer - required: - - priority - type: object - type: object - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: traceflows.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Traceflow - plural: traceflows - shortNames: - - tf - singular: traceflow - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The phase of the Traceflow. - jsonPath: .status.phase - name: Phase - type: string - - description: The name of the source Pod. - jsonPath: .spec.source.pod - name: Source-Pod - priority: 10 - type: string - - description: The name of the destination Pod. - jsonPath: .spec.destination.pod - name: Destination-Pod - priority: 10 - type: string - - description: The IP address of the destination. - jsonPath: .spec.destination.ip - name: Destination-IP - priority: 10 - type: string - - description: Trace live traffic. - jsonPath: .spec.liveTraffic - name: Live-Traffic - priority: 10 - type: boolean - - description: Capture only the dropped packet. - jsonPath: .spec.droppedOnly - name: Dropped-Only - priority: 10 - type: boolean - - description: Timeout in seconds. - jsonPath: .spec.timeout - name: Timeout - priority: 10 - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - destination: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - namespace: - type: string - pod: - type: string - service: - type: string - type: object - droppedOnly: - type: boolean - liveTraffic: - type: boolean - packet: - properties: - ipHeader: - properties: - flags: - type: integer - protocol: - type: integer - srcIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - ttl: - type: integer - type: object - ipv6Header: - properties: - hopLimit: - type: integer - nextHeader: - type: integer - srcIP: - format: ipv6 - type: string - type: object - transportHeader: - properties: - icmp: - properties: - id: - type: integer - sequence: - type: integer - type: object - tcp: - properties: - dstPort: - type: integer - flags: - type: integer - srcPort: - type: integer - type: object - udp: - properties: - dstPort: - type: integer - srcPort: - type: integer - type: object - type: object - type: object - source: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - namespace: - type: string - pod: - type: string - type: object - timeout: - type: integer - type: object - status: - properties: - capturedPacket: - properties: - dstIP: - type: string - ipHeader: - properties: - flags: - type: integer - protocol: - type: integer - ttl: - type: integer - type: object - ipv6Header: - properties: - hopLimit: - type: integer - nextHeader: - type: integer - type: object - length: - type: integer - srcIP: - type: string - transportHeader: - properties: - icmp: - properties: - id: - type: integer - sequence: - type: integer - type: object - tcp: - properties: - dstPort: - type: integer - flags: - type: integer - srcPort: - type: integer - type: object - udp: - properties: - dstPort: - type: integer - srcPort: - type: integer - type: object - type: object - type: object - dataplaneTag: - type: integer - phase: - type: string - reason: - type: string - results: - items: - properties: - node: - type: string - observations: - items: - properties: - action: - type: string - component: - type: string - componentInfo: - type: string - dstMAC: - type: string - networkPolicy: - type: string - pod: - type: string - translatedDstIP: - type: string - translatedSrcIP: - type: string - ttl: - type: integer - tunnelDstIP: - type: string - type: object - type: array - role: - type: string - timestamp: - type: integer - type: object - type: array - startTime: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antctl - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antrea-agent - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antrea-controller - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-antrea-clustergroups-edit -rules: -- apiGroups: - - crd.antrea.io - resources: - - clustergroups - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-antrea-clustergroups-view -rules: -- apiGroups: - - crd.antrea.io - resources: - - clustergroups - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-antrea-policies-edit -rules: -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-antrea-policies-view -rules: -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-traceflows-edit -rules: -- apiGroups: - - crd.antrea.io - resources: - - traceflows - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-traceflows-view -rules: -- apiGroups: - - crd.antrea.io - resources: - - traceflows - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antctl -rules: -- apiGroups: - - controlplane.antrea.io - resources: - - networkpolicies - - appliedtogroups - - addressgroups - verbs: - - get - - list -- apiGroups: - - stats.antrea.io - resources: - - networkpolicystats - - antreaclusternetworkpolicystats - - antreanetworkpolicystats - verbs: - - get - - list -- apiGroups: - - system.antrea.io - resources: - - controllerinfos - - agentinfos - verbs: - - get -- apiGroups: - - system.antrea.io - resources: - - supportbundles - verbs: - - get - - post -- apiGroups: - - system.antrea.io - resources: - - supportbundles/download - verbs: - - get -- nonResourceURLs: - - /agentinfo - - /addressgroups - - /appliedtogroups - - /loglevel - - /networkpolicies - - /ovsflows - - /ovstracing - - /podinterfaces - - /featuregates - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-agent -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - pods/status - verbs: - - patch -- apiGroups: - - "" - resources: - - endpoints - - services - - namespaces - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - services/status - verbs: - - update -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - antreaagentinfos - verbs: - - get - - create - - update - - delete -- apiGroups: - - controlplane.antrea.io - resources: - - networkpolicies - - appliedtogroups - - addressgroups - verbs: - - get - - watch - - list -- apiGroups: - - controlplane.antrea.io - resources: - - egressgroups - verbs: - - get - - watch - - list -- apiGroups: - - controlplane.antrea.io - resources: - - nodestatssummaries - verbs: - - create -- apiGroups: - - controlplane.antrea.io - resources: - - networkpolicies/status - verbs: - - create - - get -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - "" - resourceNames: - - extension-apiserver-authentication - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - antrea-ca - resources: - - configmaps - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - traceflows - - traceflows/status - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - egresses - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - egresses/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - externalippools - - ippools - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - ippools/status - verbs: - - update -- apiGroups: - - k8s.cni.cncf.io - resources: - - network-attachment-definitions - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-cluster-identity-reader -rules: -- apiGroups: - - "" - resourceNames: - - antrea-cluster-identity - resources: - - configmaps - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-controller -rules: -- apiGroups: - - "" - resources: - - pods - - services - - namespaces - - configmaps - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - watch - - list - - patch -- apiGroups: - - "" - resources: - - services/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - watch - - list -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - update -- apiGroups: - - "" - resourceNames: - - extension-apiserver-authentication - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - antrea-ca - - antrea-cluster-identity - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create -- apiGroups: - - apiregistration.k8s.io - resourceNames: - - v1alpha1.stats.antrea.io - - v1beta1.system.antrea.io - - v1beta2.controlplane.antrea.io - resources: - - apiservices - verbs: - - get - - update -- apiGroups: - - apiregistration.k8s.io - resourceNames: - - v1beta1.networking.antrea.tanzu.vmware.com - - v1beta1.controlplane.antrea.tanzu.vmware.com - - v1alpha1.stats.antrea.tanzu.vmware.com - - v1beta1.system.antrea.tanzu.vmware.com - - v1beta2.controlplane.antrea.tanzu.vmware.com - resources: - - apiservices - verbs: - - delete -- apiGroups: - - admissionregistration.k8s.io - resourceNames: - - labelsmutator.antrea.io - - crdmutator.antrea.io - - crdvalidator.antrea.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - get - - update -- apiGroups: - - crd.antrea.io - resources: - - antreacontrollerinfos - verbs: - - get - - create - - update - - delete -- apiGroups: - - crd.antrea.io - resources: - - antreaagentinfos - verbs: - - list - - delete -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies/status - - networkpolicies/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - tiers - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - traceflows - - traceflows/status - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - externalentities - - clustergroups - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - clustergroups/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - egresses - verbs: - - get - - watch - - list - - update - - patch -- apiGroups: - - crd.antrea.io - resources: - - externalippools - - ippools - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - externalippools/status - - ippools/status - verbs: - - update -- apiGroups: - - apps - resources: - - statefulsets - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antctl - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antctl -subjects: -- kind: ServiceAccount - name: antctl - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antrea-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antrea-agent -subjects: -- kind: ServiceAccount - name: antrea-agent - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antrea-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antrea-controller -subjects: -- kind: ServiceAccount - name: antrea-controller - namespace: kube-system ---- -apiVersion: v1 data: antrea-agent.conf: | # FeatureGates is a map of feature names to bools that enable or disable experimental features. @@ -2790,19 +87,18 @@ data: # Name of the OpenVSwitch bridge antrea-agent will create and use. # Make sure it doesn't conflict with your existing OpenVSwitch bridges. - #ovsBridge: br-int + ovsBridge: "br-int" # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: # - system # - netdev # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run - # OVS in userspace mode (not fully supported yet). Userspace mode requires the tun device driver to - # be available. + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. #ovsDatapathType: system # Name of the interface antrea-agent will create and use for host <--> pod communication. # Make sure it doesn't conflict with your existing interfaces. - #hostGateway: antrea-gw0 + hostGateway: "antrea-gw0" # Determines how traffic is encapsulated. It has the following options: # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network @@ -2814,14 +110,14 @@ data: # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod # IPAM and connectivity to the primary CNI. # - trafficEncapMode: noEncap + trafficEncapMode: "noEncap" # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never # performs SNAT and this option will be ignored; for other modes it must be set to false. - #noSNAT: false + noSNAT: false # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, # this option will not take effect. Supported values: @@ -2830,7 +126,7 @@ data: # - gre # - stt # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). - #tunnelType: geneve + tunnelType: "geneve" # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. # It has the following options: @@ -2840,7 +136,7 @@ data: # the PSK value must be passed to Antrea Agent through an environment # variable: ANTREA_IPSEC_PSK. # - wireGuard: Enable WireGuard for tunnel traffic encryption. - #trafficEncryptionMode: none + trafficEncryptionMode: "none" # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are @@ -2849,35 +145,40 @@ data: # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. - #enableBridgingMode: false + enableBridgingMode: false # Default MTU to use for the host gateway interface and the network interface of each Pod. # If omitted, antrea-agent will discover the MTU of the Node's primary interface and # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). - #defaultMTU: 0 + defaultMTU: 0 # wireGuard specifies WireGuard related configurations. wireGuard: - # The port for WireGuard to receive traffic. - # port: 51820 + # The port for WireGuard to receive traffic. + port: 51820 egress: - # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. - # exceptCIDRs: [] + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + serviceCIDR: "" # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. # No default value for this field. - #serviceCIDRv6: + serviceCIDRv6: "" # The port for the antrea-agent APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-agent` container must be set to the same value. - #apiPort: 10350 + apiPort: 10350 # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - #enablePrometheusMetrics: true + enablePrometheusMetrics: true # Provide the IPFIX collector address as a string with format :[][:]. # HOST can either be the DNS name or the IP of the Flow Collector. For example, @@ -2888,50 +189,50 @@ data: # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and # "udp" protocols. "tls" is used for securing communication between flow exporter and # flow aggregator. - #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" # Provide flow poll interval as a duration string. This determines how often the # flow exporter dumps connections from the conntrack module. Flow poll interval # should be greater than or equal to 1s (one second). # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #flowPollInterval: "5s" + flowPollInterval: "5s" # Provide the active flow export timeout, which is the timeout after which a flow # record is sent to the collector for active flows. Thus, for flows with a continuous # stream of packets, a flow record will be exported to the collector once the elapsed # time since the last export event is equal to the value of this timeout. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #activeFlowExportTimeout: "30s" + activeFlowExportTimeout: "5s" # Provide the idle flow export timeout, which is the timeout after which a flow # record is sent to the collector for idle flows. A flow is considered idle if no # packet matching this flow has been observed since the last export event. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #idleFlowExportTimeout: "15s" + idleFlowExportTimeout: "15s" nodePortLocal: # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature # gate is also enabled (which is the default). - # enable: false + enable: false # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port # from that range will be assigned whenever a Pod's container defines a specific port to be exposed # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic # directed to that port will be forwarded to the Pod. - # portRange: 61000-62000 + portRange: "61000-62000" # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. - #kubeAPIServerOverride: "" + kubeAPIServerOverride: "" # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. - #tlsCipherSuites: + tlsCipherSuites: "" # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - #tlsMinVersion: + tlsMinVersion: "" # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. # If there are multiple IP addresses configured on the interface, the first one is used. The IP @@ -2940,11 +241,11 @@ data: # 1. transportInterface # 2. transportInterfaceCIDRs # 3. The Node IP - #transportInterface: + transportInterface: "" # The names of the interfaces on Nodes that are used to forward multicast traffic. # Defaults to transport interface if not set. - #multicastInterfaces: [] + multicastInterfaces: # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The @@ -2953,7 +254,7 @@ data: # 1. transportInterface # 2. transportInterfaceCIDRs # 3. The Node IP - #transportInterfaceCIDRs: [,] + transportInterfaceCIDRs: # Option antreaProxy contains AntreaProxy related configuration options. antreaProxy: @@ -2962,22 +263,22 @@ data: # feature to be enabled. # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access # apiserver directly. - #proxyAll: false + proxyAll: false # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. # Note that the option is only valid when proxyAll is true. - #nodePortAddresses: [] + nodePortAddresses: # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name # with Namespace (e.g. kube-system/kube-dns) - #skipServices: [] + skipServices: # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. - #proxyLoadBalancerIPs: true + proxyLoadBalancerIPs: true antrea-cni.conflist: | { "cniVersion":"0.3.0", @@ -2988,11 +289,13 @@ data: "ipam": { "type": "host-local" } - }, + } + , { "type": "portmap", "capabilities": {"portMappings": true} - }, + } + , { "type": "bandwidth", "capabilities": {"bandwidth": true} @@ -3030,659 +333,3317 @@ data: # The port for the antrea-controller APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-controller` container must be set to the same value. - #apiPort: 10349 + apiPort: 10349 # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - #enablePrometheusMetrics: true + enablePrometheusMetrics: true # Indicates whether to use auto-generated self-signed TLS certificate. - # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: # ca.crt: # tls.crt: # tls.key: - # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the - # antrea-controller container. - #selfSignedCert: true + selfSignedCert: true # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. - #tlsCipherSuites: + tlsCipherSuites: "" # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - #tlsMinVersion: + tlsMinVersion: "" nodeIPAM: - # Enable the integrated Node IPAM controller within the Antrea controller. - # enableNodeIPAM: false - - # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. - # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. - # Value ignored when enableNodeIPAM is false. - # clusterCIDRs: [] - - # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. - # Value ignored when enableNodeIPAM is false. - # serviceCIDR: - # serviceCIDRv6: - - # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. - # nodeCIDRMaskSizeIPv4: 24 - - # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. - # nodeCIDRMaskSizeIPv6: 64 -kind: ConfigMap + # Enable the integrated Node IPAM controller within the Antrea controller. + enableNodeIPAM: false + # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. + # Value ignored when enableNodeIPAM is false. + clusterCIDRs: + # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + serviceCIDR: "" + serviceCIDRv6: "" + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + nodeCIDRMaskSizeIPv4: 24 + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + nodeCIDRMaskSizeIPv6: 64 +--- +# Source: antrea/templates/crds/antreaagentinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: antreaagentinfos.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai +--- +# Source: antrea/templates/crds/antreacontrollerinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: antreacontrollerinfos.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci +--- +# Source: antrea/templates/crds/clustergroup.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clustergroups.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + - name: v1alpha3 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: "antrea" + namespace: "kube-system" + path: "/convert/clustergroup" + scope: Cluster + names: + plural: clustergroups + singular: clustergroup + kind: ClusterGroup + shortNames: + - cg +--- +# Source: antrea/templates/crds/clusternetworkpolicy.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusternetworkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this ClusterNetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + fqdn: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + toServices: + type: array + items: + type: object + required: + - name + - namespace + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + scope: Cluster + names: + plural: clusternetworkpolicies + singular: clusternetworkpolicy + kind: ClusterNetworkPolicy + shortNames: + - acnp +--- +# Source: antrea/templates/crds/egress.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: egresses.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - appliedTo + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + egressIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + externalIPPool: + type: string + status: + type: object + properties: + egressNode: + type: string + additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + subresources: + status: {} + scope: Cluster + names: + plural: egresses + singular: egress + kind: Egress + shortNames: + - eg +--- +# Source: antrea/templates/crds/externalentity.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalentities.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + endpoints: + type: array + items: + type: object + properties: + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + name: + type: string + externalNode: + type: string + - name: v1alpha1 + served: false + storage: false + schema: + openAPIV3Schema: + type: object + scope: Namespaced + names: + plural: externalentities + singular: externalentity + kind: ExternalEntity + shortNames: + - ee +--- +# Source: antrea/templates/crds/externalippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + scope: Cluster + names: + plural: externalippools + singular: externalippool + kind: ExternalIPPool + shortNames: + - eip +--- +# Source: antrea/templates/crds/ippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + required: + - ipVersion + - ipRanges + type: object + properties: + ipVersion: + type: integer + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + vlan: + type: integer + minimum: 0 + maximum: 4094 + type: object + type: array + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + name: + type: string + namespace: + type: string + containerID: + type: string + ifName: + type: string + type: object + statefulSet: + properties: + name: + type: string + namespace: + type: string + index: + type: integer + type: object + type: object + phase: + type: string + type: object + type: array + type: object + subresources: + status: {} + scope: Cluster + names: + plural: ippools + singular: ippool + kind: IPPool + shortNames: + - ipp +--- +# Source: antrea/templates/crds/networkpolicy.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this Antrea NetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + fqdn: + type: string + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + toServices: + type: array + items: + type: object + required: + - name + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + scope: Namespaced + names: + plural: networkpolicies + singular: networkpolicy + kind: NetworkPolicy + shortNames: + - anp +--- +# Source: antrea/templates/crds/tier.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tiers.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Priority + type: integer + description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + required: + - priority + type: object + properties: + priority: + type: integer + minimum: 0 + maximum: 255 + description: + type: string + scope: Cluster + names: + plural: tiers + singular: tier + kind: Tier + shortNames: + - tr +--- +# Source: antrea/templates/crds/traceflow.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: traceflows.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.phase + description: The phase of the Traceflow. + name: Phase + type: string + - jsonPath: .spec.source.pod + description: The name of the source Pod. + name: Source-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.pod + description: The name of the destination Pod. + name: Destination-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.ip + description: The IP address of the destination. + name: Destination-IP + type: string + priority: 10 + - jsonPath: .spec.liveTraffic + description: Trace live traffic. + name: Live-Traffic + type: boolean + priority: 10 + - jsonPath: .spec.droppedOnly + description: Capture only the dropped packet. + name: Dropped-Only + type: boolean + priority: 10 + - jsonPath: .spec.timeout + description: Timeout in seconds. + name: Timeout + type: integer + priority: 10 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + properties: + source: + type: object + properties: + pod: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + destination: + type: object + properties: + pod: + type: string + service: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + packet: + type: object + properties: + ipHeader: + type: object + properties: + srcIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + protocol: + type: integer + ttl: + type: integer + flags: + type: integer + ipv6Header: + type: object + properties: + srcIP: + type: string + format: ipv6 + nextHeader: + type: integer + hopLimit: + type: integer + transportHeader: + type: object + properties: + icmp: + type: object + properties: + id: + type: integer + sequence: + type: integer + udp: + type: object + properties: + srcPort: + type: integer + dstPort: + type: integer + tcp: + type: object + properties: + srcPort: + type: integer + dstPort: + type: integer + flags: + type: integer + liveTraffic: + type: boolean + droppedOnly: + type: boolean + timeout: + type: integer + status: + type: object + properties: + reason: + type: string + dataplaneTag: + type: integer + phase: + type: string + startTime: + type: string + results: + type: array + items: + type: object + properties: + node: + type: string + role: + type: string + timestamp: + type: integer + observations: + type: array + items: + type: object + properties: + component: + type: string + componentInfo: + type: string + action: + type: string + pod: + type: string + dstMAC: + type: string + networkPolicy: + type: string + ttl: + type: integer + translatedSrcIP: + type: string + translatedDstIP: + type: string + tunnelDstIP: + type: string + capturedPacket: + properties: + srcIP: + type: string + dstIP: + type: string + length: + type: integer + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + transportHeader: + properties: + tcp: + properties: + dstPort: + type: integer + srcPort: + type: integer + flags: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + type: object + type: object + subresources: + status: {} + scope: Cluster + names: + plural: traceflows + singular: traceflow + kind: Traceflow + shortNames: + - tf +--- +# Source: antrea/templates/agent/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-agent + labels: + app: antrea +rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - pods/status + verbs: + - patch + - apiGroups: + - "" + resources: + - endpoints + - services + - namespaces + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - services/status + verbs: + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete + - apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list + - apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list + - apiGroups: + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create + - apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + # This is the content of built-in role kube-system/extension-apiserver-authentication-reader. + # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will + # have permission issue after bumping up apiserver library to a version that supports dynamic authentication. + # See https://github.com/kubernetes/kubernetes/pull/85375 + # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on + # the extension-apiserver-authentication role. + - apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - antrea-ca + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - egresses/status + verbs: + - update + - apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - ippools/status + verbs: + - update + - apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - get + - list + - watch +--- +# Source: antrea/templates/antctl/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antctl + labels: + app: antrea +rules: + - apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list + - apiGroups: + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list + - apiGroups: + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get + - apiGroups: + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post + - apiGroups: + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get + - nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + - /featuregates + verbs: + - get +--- +# Source: antrea/templates/cluster-identity-reader/clusterrolebinding.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-cluster-identity-reader + labels: + app: antrea +rules: + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - antrea-cluster-identity + verbs: + - get +--- +# Source: antrea/templates/controller/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-controller + labels: + app: antrea +rules: + - apiGroups: + - "" + resources: + - pods + - services + - namespaces + - configmaps + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch + - apiGroups: + - "" + resources: + - services/status + verbs: + - update + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update + # This is the content of built-in role kube-system/extension-apiserver-authentication-reader. + # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-controller) will + # have permission issue after bumping up apiserver library to a version that supports dynamic authentication. + # See https://github.com/kubernetes/kubernetes/pull/85375 + # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on + # the extension-apiserver-authentication role. + - apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - antrea-ca + - antrea-cluster-identity + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + resourceNames: + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + verbs: + - get + - update + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + resourceNames: + - v1beta1.networking.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + verbs: + - delete + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + resourceNames: + # always give permissions for labelsmutator.antrea.io, even when the + # feature is disabled, to avoid errors in antrea-controller when updating + # the CA cert. + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + verbs: + - get + - update + - apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete + - apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete + - apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update + - apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update + - apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - update + - patch + - apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - externalippools/status + - ippools/status + verbs: + - update + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: + name: aggregate-antrea-policies-edit labels: app: antrea - name: antrea-config-2c8t9465tc - namespace: kube-system + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clusternetworkpolicies", "networkpolicies"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] --- -apiVersion: v1 -kind: Service +# Source: antrea/templates/crds-rbac/clusterroles.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: aggregate-antrea-policies-view + labels: + app: antrea + # Add these permissions to the "view" default role. + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clusternetworkpolicies", "networkpolicies"] + verbs: ["get", "list", "watch"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-traceflows-edit + labels: + app: antrea + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["traceflows"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 metadata: + name: aggregate-traceflows-view + labels: + app: antrea + # Add these permissions to the "view" default role. + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["traceflows"] + verbs: ["get", "list", "watch"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-antrea-clustergroups-edit + labels: + app: antrea + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clustergroups"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: aggregate-antrea-clustergroups-view + labels: + app: antrea + # Add these permissions to the "view" default role. + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clustergroups"] + verbs: ["get", "list", "watch"] +--- +# Source: antrea/templates/agent/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-agent + labels: + app: antrea +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: + - kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +# Source: antrea/templates/antctl/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: + - kind: ServiceAccount + name: antctl + namespace: kube-system +--- +# Source: antrea/templates/controller/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-controller labels: app: antrea +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: + - kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +# Source: antrea/templates/controller/service.yaml +apiVersion: v1 +kind: Service +metadata: name: antrea namespace: kube-system + labels: + app: antrea spec: ports: - - port: 443 - protocol: TCP - targetPort: api + - port: 443 + protocol: TCP + targetPort: api selector: app: antrea component: antrea-controller --- +# Source: antrea/templates/agent/daemonset.yaml apiVersion: apps/v1 -kind: Deployment +kind: DaemonSet metadata: + name: antrea-agent + namespace: kube-system labels: app: antrea - component: antrea-controller + component: antrea-agent +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + updateStrategy: + type: RollingUpdate + template: + metadata: + annotations: + # Starting with v1.21, Kubernetes supports default container annotation. + # Using "kubectl logs/exec/attach/cp" doesn't have to specify "-c antrea-agent" when troubleshooting. + kubectl.kubernetes.io/default-container: antrea-agent + # Automatically restart Pods with a RollingUpdate if the ConfigMap changes + # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments + checksum/config: 5cde7917b9224b515967d437777f2243699069b38d5c4811766993426fd138bd + labels: + app: antrea + component: antrea-agent + spec: + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + priorityClassName: system-node-critical + nodeSelector: + kubernetes.io/os: linux + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + serviceAccountName: antrea-agent + initContainers: + - name: install-cni + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 100m + command: ["install_cni"] + securityContext: + capabilities: + add: + # SYS_MODULE is required to load the OVS kernel module. + - SYS_MODULE + env: + # SKIP_CNI_BINARIES takes in values as a comma separated list of + # binaries that need to be skipped for installation, e.g. "portmap, bandwidth". + - name: SKIP_CNI_BINARIES + value: "" + volumeMounts: + - name: antrea-config + mountPath: /etc/antrea/antrea-cni.conflist + subPath: antrea-cni.conflist + readOnly: true + - name: host-cni-conf + mountPath: /host/etc/cni/net.d + - name: host-cni-bin + mountPath: /host/opt/cni/bin + # For loading the OVS kernel module. + - name: host-lib-modules + mountPath: /lib/modules + readOnly: true + # For changing the default permissions of the run directory. + - name: host-var-run-antrea + mountPath: /var/run/antrea + containers: + - name: antrea-agent + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + command: ["antrea-agent"] + # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).- + args: + - "--config=/etc/antrea/antrea-agent.conf" + - "--logtostderr=false" + - "--log_dir=/var/log/antrea" + - "--alsologtostderr" + - "--log_file_max_size=100" + - "--log_file_max_num=4" + env: + # Provide pod and node information for clusterinformation CRD. + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + requests: + cpu: 200m + ports: + - containerPort: 10350 + name: api + protocol: TCP + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + readinessProbe: + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + # In large-scale clusters, it may take up to 40~50 seconds for the antrea-agent to reconnect to the antrea + # Service after the antrea-controller restarts. The antrea-agent shouldn't be reported as NotReady in this + # scenario, otherwise the DaemonSet controller would restart all agents at once, as opposed to performing a + # rolling update. Set failureThreshold to 8 so it can tolerate 70s of disconnection. + failureThreshold: 8 + securityContext: + # antrea-agent needs to perform sysctl configuration. + privileged: true + volumeMounts: + - name: antrea-config + mountPath: /etc/antrea/antrea-agent.conf + subPath: antrea-agent.conf + readOnly: true + - name: host-var-run-antrea + mountPath: /var/run/antrea + - name: host-var-run-antrea + mountPath: /var/run/openvswitch + subPath: openvswitch + # host-local IPAM stores allocated IP addresses as files in /var/lib/cni/networks/$NETWORK_NAME. + # Mount a sub-directory of host-var-run-antrea to it for persistence of IP allocation. + - name: host-var-run-antrea + mountPath: /var/lib/cni + subPath: cni + # We need to mount both the /proc directory and the /var/run/netns directory so that + # antrea-agent can open the network namespace path when setting up Pod + # networking. Different container runtimes may use /proc or /var/run/netns when invoking + # the CNI commands. Docker uses /proc and containerd uses /var/run/netns. + - name: host-var-log-antrea + mountPath: /var/log/antrea + - name: host-proc + mountPath: /host/proc + readOnly: true + - name: host-var-run-netns + mountPath: /host/var/run/netns + readOnly: true + # When a container is created, a mount point for the network namespace is added under + # /var/run/netns on the host, which needs to be propagated to the antrea-agent container. + mountPropagation: HostToContainer + - name: xtables-lock + mountPath: /run/xtables.lock + - name: antrea-ovs + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 200m + command: ["start_ovs"] + args: + - "--log_file_max_size=100" + - "--log_file_max_num=4" + securityContext: + # capabilities required by OVS daemons + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + livenessProbe: + exec: + # docker CRI doesn't honor timeoutSeconds, add "timeout" to the command as a workaround. + # https://github.com/kubernetes/kubernetes/issues/51901 + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + initialDelaySeconds: 5 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 5 + volumeMounts: + - name: host-var-run-antrea + mountPath: /var/run/openvswitch + subPath: openvswitch + - name: host-var-log-antrea + mountPath: /var/log/openvswitch + subPath: openvswitch + volumes: + - name: antrea-config + configMap: + name: antrea-config + - name: host-cni-conf + hostPath: + path: /etc/cni/net.d + - name: host-cni-bin + hostPath: + path: /home/kubernetes/bin + - name: host-proc + hostPath: + path: /proc + - name: host-var-run-netns + hostPath: + path: /var/run/netns + - name: host-var-run-antrea + hostPath: + path: /var/run/antrea + # we use subPath to create run subdirectories for different component (e.g. OVS) and + # subPath requires the base volume to exist + type: DirectoryOrCreate + - name: host-var-log-antrea + hostPath: + path: /var/log/antrea + # we use subPath to create logging subdirectories for different component (e.g. OVS) + type: DirectoryOrCreate + - name: host-lib-modules + hostPath: + path: /lib/modules + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate +--- +# Source: antrea/templates/controller/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: name: antrea-controller namespace: kube-system + labels: + app: antrea + component: antrea-controller spec: - replicas: 1 + strategy: + # Ensure the existing Pod is stopped before the new one is created. + type: Recreate selector: matchLabels: app: antrea component: antrea-controller - strategy: - type: Recreate + replicas: 1 template: metadata: + annotations: + # Automatically restart Pod if the ConfigMap changes + # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments + checksum/config: 5cde7917b9224b515967d437777f2243699069b38d5c4811766993426fd138bd labels: app: antrea component: antrea-controller spec: - containers: - - args: - - --config - - /etc/antrea/antrea-controller.conf - - --logtostderr=false - - --log_dir=/var/log/antrea - - --alsologtostderr - - --log_file_max_size=100 - - --log_file_max_num=4 - - --v=0 - command: - - antrea-controller - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: SERVICEACCOUNT_NAME - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ANTREA_CONFIG_MAP_NAME - value: antrea-config-2c8t9465tc - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 5 - httpGet: - host: localhost - path: /livez - port: api - scheme: HTTPS - periodSeconds: 10 - timeoutSeconds: 5 - name: antrea-controller - ports: - - containerPort: 10349 - name: api - protocol: TCP - readinessProbe: - failureThreshold: 5 - httpGet: - host: localhost - path: /readyz - port: api - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - requests: - cpu: 200m - volumeMounts: - - mountPath: /etc/antrea/antrea-controller.conf - name: antrea-config - readOnly: true - subPath: antrea-controller.conf - - mountPath: /var/run/antrea/antrea-controller-tls - name: antrea-controller-tls - - mountPath: /var/log/antrea - name: host-var-log-antrea - hostNetwork: true nodeSelector: kubernetes.io/os: linux + hostNetwork: true priorityClassName: system-cluster-critical - serviceAccountName: antrea-controller tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + serviceAccountName: antrea-controller + containers: + - name: antrea-controller + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 200m + command: ["antrea-controller"] + # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work). + args: + - "--config=/etc/antrea/antrea-controller.conf" + - "--logtostderr=false" + - "--log_dir=/var/log/antrea" + - "--alsologtostderr" + - "--log_file_max_size=100" + - "--log_file_max_num=4" + env: + # Provide pod and node information for clusterinformation CRD. + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # Provide ServiceAccount name for validation webhook. + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ANTREA_CONFIG_MAP_NAME + value: antrea-config + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + livenessProbe: + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + volumeMounts: + - name: antrea-config + mountPath: /etc/antrea/antrea-controller.conf + subPath: antrea-controller.conf + readOnly: true + - name: antrea-controller-tls + mountPath: /var/run/antrea/antrea-controller-tls + - name: host-var-log-antrea + mountPath: /var/log/antrea volumes: - - configMap: - name: antrea-config-2c8t9465tc - name: antrea-config - - name: antrea-controller-tls - secret: - defaultMode: 256 - optional: true - secretName: antrea-controller-tls - - hostPath: - path: /var/log/antrea - type: DirectoryOrCreate - name: host-var-log-antrea + - name: antrea-config + configMap: + name: antrea-config + # Make it optional as we only read it when selfSignedCert=false. + - name: antrea-controller-tls + secret: + secretName: antrea-controller-tls + defaultMode: 0400 + optional: true + - name: host-var-log-antrea + hostPath: + path: /var/log/antrea + type: DirectoryOrCreate --- +# Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: + name: v1beta2.controlplane.antrea.io labels: app: antrea - name: v1alpha1.stats.antrea.io spec: - group: stats.antrea.io + group: controlplane.antrea.io groupPriorityMinimum: 100 + version: v1beta2 + versionPriority: 100 service: name: antrea namespace: kube-system - version: v1alpha1 - versionPriority: 100 --- +# Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: + name: v1beta1.system.antrea.io labels: app: antrea - name: v1beta1.system.antrea.io spec: group: system.antrea.io groupPriorityMinimum: 100 + version: v1beta1 + versionPriority: 100 service: name: antrea namespace: kube-system - version: v1beta1 - versionPriority: 100 --- +# Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: + name: v1alpha1.stats.antrea.io labels: app: antrea - name: v1beta2.controlplane.antrea.io spec: - group: controlplane.antrea.io + group: stats.antrea.io groupPriorityMinimum: 100 + version: v1alpha1 + versionPriority: 100 service: name: antrea namespace: kube-system - version: v1beta2 - versionPriority: 100 ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - app: antrea - component: antrea-agent - name: antrea-agent - namespace: kube-system -spec: - selector: - matchLabels: - app: antrea - component: antrea-agent - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: antrea-agent - labels: - app: antrea - component: antrea-agent - spec: - containers: - - args: - - --config - - /etc/antrea/antrea-agent.conf - - --logtostderr=false - - --log_dir=/var/log/antrea - - --alsologtostderr - - --log_file_max_size=100 - - --log_file_max_num=4 - - --v=0 - command: - - antrea-agent - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /bin/sh - - -c - - container_liveness_probe agent - failureThreshold: 5 - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - name: antrea-agent - ports: - - containerPort: 10350 - name: api - protocol: TCP - readinessProbe: - failureThreshold: 8 - httpGet: - host: localhost - path: /readyz - port: api - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - requests: - cpu: 200m - securityContext: - privileged: true - volumeMounts: - - mountPath: /etc/antrea/antrea-agent.conf - name: antrea-config - readOnly: true - subPath: antrea-agent.conf - - mountPath: /var/run/antrea - name: host-var-run-antrea - - mountPath: /var/run/openvswitch - name: host-var-run-antrea - subPath: openvswitch - - mountPath: /var/lib/cni - name: host-var-run-antrea - subPath: cni - - mountPath: /var/log/antrea - name: host-var-log-antrea - - mountPath: /host/proc - name: host-proc - readOnly: true - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: host-var-run-netns - readOnly: true - - mountPath: /run/xtables.lock - name: xtables-lock - - args: - - --log_file_max_size=100 - - --log_file_max_num=4 - command: - - start_ovs - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /bin/sh - - -c - - timeout 10 container_liveness_probe ovs - failureThreshold: 5 - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 10 - name: antrea-ovs - resources: - requests: - cpu: 200m - securityContext: - capabilities: - add: - - SYS_NICE - - NET_ADMIN - - SYS_ADMIN - - IPC_LOCK - volumeMounts: - - mountPath: /var/run/openvswitch - name: host-var-run-antrea - subPath: openvswitch - - mountPath: /var/log/openvswitch - name: host-var-log-antrea - subPath: openvswitch - dnsPolicy: ClusterFirstWithHostNet - hostNetwork: true - initContainers: - - command: - - install_cni - env: - - name: SKIP_CNI_BINARIES - value: "" - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - name: install-cni - resources: - requests: - cpu: 100m - securityContext: - capabilities: - add: - - SYS_MODULE - volumeMounts: - - mountPath: /etc/antrea/antrea-cni.conflist - name: antrea-config - readOnly: true - subPath: antrea-cni.conflist - - mountPath: /host/etc/cni/net.d - name: host-cni-conf - - mountPath: /host/opt/cni/bin - name: host-cni-bin - - mountPath: /lib/modules - name: host-lib-modules - readOnly: true - - mountPath: /var/run/antrea - name: host-var-run-antrea - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-node-critical - serviceAccountName: antrea-agent - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - volumes: - - hostPath: - path: /home/kubernetes/bin - name: host-cni-bin - - configMap: - name: antrea-config-2c8t9465tc - name: antrea-config - - hostPath: - path: /etc/cni/net.d - name: host-cni-conf - - hostPath: - path: /proc - name: host-proc - - hostPath: - path: /var/run/netns - name: host-var-run-netns - - hostPath: - path: /var/run/antrea - type: DirectoryOrCreate - name: host-var-run-antrea - - hostPath: - path: /var/log/antrea - type: DirectoryOrCreate - name: host-var-log-antrea - - hostPath: - path: /lib/modules - name: host-lib-modules - - hostPath: - path: /run/xtables.lock - type: FileOrCreate - name: xtables-lock - updateStrategy: - type: RollingUpdate --- +# Source: antrea/templates/webhooks/mutating/crdmutator.yaml apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: + name: "crdmutator.antrea.io" labels: app: antrea - name: crdmutator.antrea.io webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /mutate/acnp - name: acnpmutator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusternetworkpolicies - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /mutate/anp - name: anpmutator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - networkpolicies - scope: Namespaced - sideEffects: None - timeoutSeconds: 5 + - name: "acnpmutator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/mutate/acnp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["clusternetworkpolicies"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "anpmutator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/mutate/anp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["networkpolicies"] + scope: "Namespaced" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 --- +# Source: antrea/templates/webhooks/validating/crdvalidator.yaml apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: + name: "crdvalidator.antrea.io" labels: app: antrea - name: crdvalidator.antrea.io webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/tier - name: tiervalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - - DELETE - resources: - - tiers - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/acnp - name: acnpvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusternetworkpolicies - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/anp - name: anpvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - networkpolicies - scope: Namespaced - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/clustergroup - name: clustergroupvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha3 - - v1alpha2 - operations: - - CREATE - - UPDATE - resources: - - clustergroups - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/externalippool - name: externalippoolvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - UPDATE - resources: - - externalippools - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/egress - name: egressvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - CREATE - - UPDATE - resources: - - egresses - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/ippool - name: ippoolvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - CREATE - - UPDATE - - DELETE - resources: - - ippools - scope: Cluster - sideEffects: None - timeoutSeconds: 5 + - name: "tiervalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/tier" + rules: + - operations: ["CREATE", "UPDATE", "DELETE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["tiers"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "acnpvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/acnp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["clusternetworkpolicies"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "anpvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/anp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["networkpolicies"] + scope: "Namespaced" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "clustergroupvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/clustergroup" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha3", "v1alpha2"] + resources: ["clustergroups"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "externalippoolvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/externalippool" + rules: + - operations: ["UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["externalippools"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "egressvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/egress" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["egresses"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "ippoolvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/ippool" + rules: + - operations: ["CREATE", "UPDATE", "DELETE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["ippools"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index f5e3143b287..524799a994c 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -1,2742 +1,52 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +--- +# Source: antrea/templates/agent/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount metadata: + name: antrea-agent + namespace: kube-system labels: app: antrea - name: antreaagentinfos.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: AntreaAgentInfo - plural: antreaagentinfos - shortNames: - - aai - singular: antreaagentinfo - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Health status of this Agent - jsonPath: .agentConditions[?(@.type=='AgentHealthy')].status - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: .agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime - name: Last Heartbeat - type: date - - description: Version of this Agent - jsonPath: .version - name: Version - priority: 1 - type: string - - description: Node on which this Agent is running - jsonPath: .nodeRef.name - name: Node - priority: 1 - type: string - - description: Number of local Pods managed by this Agent - jsonPath: .localPodNum - name: Num Pods - priority: 2 - type: integer - - description: Subnets used by this Agent for Pod IPAM - jsonPath: .nodeSubnets - name: Subnets - priority: 2 - type: string - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true --- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +# Source: antrea/templates/antctl/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount metadata: + name: antctl + namespace: kube-system labels: app: antrea - name: antreacontrollerinfos.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: AntreaControllerInfo - plural: antreacontrollerinfos - shortNames: - - aci - singular: antreacontrollerinfo - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Health status of the Controller - jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].status - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime - name: Last Heartbeat - type: date - - description: Version of the Controller - jsonPath: .version - name: Version - priority: 1 - type: string - - description: Number of Agents connected to the Controller - jsonPath: .connectedAgentNum - name: Connected Agents - priority: 1 - type: integer - - description: Node on which the Controller is running - jsonPath: .nodeRef.name - name: Node - priority: 1 - type: string - - description: Number of Network Policies computed by Controller - jsonPath: .networkPolicyControllerInfo.networkPolicyNum - name: Num Network Policies - priority: 2 - type: integer - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true --- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +# Source: antrea/templates/controller/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount metadata: + name: antrea-controller + namespace: kube-system labels: app: antrea - name: clustergroups.crd.antrea.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: antrea - namespace: kube-system - path: /convert/clustergroup - conversionReviewVersions: - - v1 - - v1beta1 - group: crd.antrea.io - names: - kind: ClusterGroup - plural: clustergroups - shortNames: - - cg - singular: clustergroup - scope: Cluster - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - childGroups: - items: - type: string - type: array - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - ipBlocks: - items: - properties: - cidr: - format: cidr - type: string - type: object - type: array - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceReference: - properties: - name: - type: string - namespace: - type: string - type: object - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - type: string - status: - type: string - type: - type: string - type: object - type: array - type: object - type: object - served: true - storage: false - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - properties: - childGroups: - items: - type: string - type: array - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlocks: - items: - properties: - cidr: - format: cidr - type: string - type: object - type: array - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceReference: - properties: - name: - type: string - namespace: - type: string - type: object - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - type: string - status: - type: string - type: - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} --- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +# Source: antrea/templates/agent/ipsec-secret.yaml +apiVersion: v1 +kind: Secret metadata: + name: antrea-ipsec + namespace: kube-system labels: app: antrea - name: clusternetworkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ClusterNetworkPolicy - plural: clusternetworkpolicies - shortNames: - - acnp - singular: clusternetworkpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The Tier to which this ClusterNetworkPolicy belongs to. - jsonPath: .spec.tier - name: Tier - type: string - - description: The Priority of this ClusterNetworkPolicy relative to other policies. - format: float - jsonPath: .spec.priority - name: Priority - type: number - - description: The total number of Nodes that should realize the NetworkPolicy. - format: int32 - jsonPath: .status.desiredNodesRealized - name: Desired Nodes - type: number - - description: The number of Nodes that have realized the NetworkPolicy. - format: int32 - jsonPath: .status.currentNodesRealized - name: Current Nodes - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - egress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - enableLogging: - type: boolean - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - to: - items: - properties: - fqdn: - type: string - group: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - properties: - match: - type: string - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - toServices: - items: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: array - required: - - action - type: object - type: array - ingress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - enableLogging: - type: boolean - from: - items: - properties: - group: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - properties: - match: - enum: - - Self - type: string - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - required: - - action - type: object - type: array - priority: - format: float - maximum: 10000 - minimum: 1 - type: number - tier: - type: string - required: - - priority - type: object - status: - properties: - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - observedGeneration: - type: integer - phase: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: egresses.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Egress - plural: egresses - shortNames: - - eg - singular: egress - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Specifies the SNAT IP address for the selected workloads. - jsonPath: .spec.egressIP - name: EgressIP - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - anyOf: - - required: - - egressIP - - required: - - externalIPPool - properties: - appliedTo: - properties: - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - egressIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - externalIPPool: - type: string - required: - - appliedTo - type: object - status: - properties: - egressNode: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} +type: Opaque +stringData: + # Preshared Key used by IKE for authentication with peers. + psk: "changeme" --- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +# Source: antrea/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap metadata: + name: antrea-config + namespace: kube-system labels: app: antrea - name: externalentities.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalEntity - plural: externalentities - shortNames: - - ee - singular: externalentity - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - endpoints: - items: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - name: - type: string - type: object - type: array - externalNode: - type: string - ports: - items: - properties: - name: - type: string - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - served: false - storage: false ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalippools.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalIPPool - plural: externalippools - shortNames: - - eip - singular: externalippool - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - ipRanges: - items: - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - type: object - type: array - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - required: - - ipRanges - - nodeSelector - type: object - status: - properties: - usage: - properties: - total: - type: integer - used: - type: integer - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: ippools.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: IPPool - plural: ippools - shortNames: - - ipp - singular: ippool - scope: Cluster - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - ipRanges: - items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength - properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - vlan: - maximum: 4094 - minimum: 0 - type: integer - type: object - type: array - ipVersion: - type: integer - required: - - ipVersion - - ipRanges - type: object - status: - properties: - ipAddresses: - items: - properties: - ipAddress: - type: string - owner: - properties: - pod: - properties: - containerID: - type: string - ifName: - type: string - name: - type: string - namespace: - type: string - type: object - statefulSet: - properties: - index: - type: integer - name: - type: string - namespace: - type: string - type: object - type: object - phase: - type: string - type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: networkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: NetworkPolicy - plural: networkpolicies - shortNames: - - anp - singular: networkpolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The Tier to which this Antrea NetworkPolicy belongs to. - jsonPath: .spec.tier - name: Tier - type: string - - description: The Priority of this Antrea NetworkPolicy relative to other policies. - format: float - jsonPath: .spec.priority - name: Priority - type: number - - description: The total number of Nodes that should realize the NetworkPolicy. - format: int32 - jsonPath: .status.desiredNodesRealized - name: Desired Nodes - type: number - - description: The number of Nodes that have realized the NetworkPolicy. - format: int32 - jsonPath: .status.currentNodesRealized - name: Current Nodes - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - egress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - to: - items: - properties: - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - fqdn: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - toServices: - items: - properties: - name: - type: string - namespace: - type: string - required: - - name - type: object - type: array - required: - - action - type: object - type: array - ingress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - from: - items: - properties: - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - required: - - action - type: object - type: array - priority: - format: float - maximum: 10000 - minimum: 1 - type: number - tier: - type: string - required: - - priority - type: object - status: - properties: - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - observedGeneration: - type: integer - phase: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: tiers.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Tier - plural: tiers - shortNames: - - tr - singular: tier - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The Priority of this Tier relative to other Tiers. - jsonPath: .spec.priority - name: Priority - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - description: - type: string - priority: - maximum: 255 - minimum: 0 - type: integer - required: - - priority - type: object - type: object - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: traceflows.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Traceflow - plural: traceflows - shortNames: - - tf - singular: traceflow - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The phase of the Traceflow. - jsonPath: .status.phase - name: Phase - type: string - - description: The name of the source Pod. - jsonPath: .spec.source.pod - name: Source-Pod - priority: 10 - type: string - - description: The name of the destination Pod. - jsonPath: .spec.destination.pod - name: Destination-Pod - priority: 10 - type: string - - description: The IP address of the destination. - jsonPath: .spec.destination.ip - name: Destination-IP - priority: 10 - type: string - - description: Trace live traffic. - jsonPath: .spec.liveTraffic - name: Live-Traffic - priority: 10 - type: boolean - - description: Capture only the dropped packet. - jsonPath: .spec.droppedOnly - name: Dropped-Only - priority: 10 - type: boolean - - description: Timeout in seconds. - jsonPath: .spec.timeout - name: Timeout - priority: 10 - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - destination: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - namespace: - type: string - pod: - type: string - service: - type: string - type: object - droppedOnly: - type: boolean - liveTraffic: - type: boolean - packet: - properties: - ipHeader: - properties: - flags: - type: integer - protocol: - type: integer - srcIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - ttl: - type: integer - type: object - ipv6Header: - properties: - hopLimit: - type: integer - nextHeader: - type: integer - srcIP: - format: ipv6 - type: string - type: object - transportHeader: - properties: - icmp: - properties: - id: - type: integer - sequence: - type: integer - type: object - tcp: - properties: - dstPort: - type: integer - flags: - type: integer - srcPort: - type: integer - type: object - udp: - properties: - dstPort: - type: integer - srcPort: - type: integer - type: object - type: object - type: object - source: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - namespace: - type: string - pod: - type: string - type: object - timeout: - type: integer - type: object - status: - properties: - capturedPacket: - properties: - dstIP: - type: string - ipHeader: - properties: - flags: - type: integer - protocol: - type: integer - ttl: - type: integer - type: object - ipv6Header: - properties: - hopLimit: - type: integer - nextHeader: - type: integer - type: object - length: - type: integer - srcIP: - type: string - transportHeader: - properties: - icmp: - properties: - id: - type: integer - sequence: - type: integer - type: object - tcp: - properties: - dstPort: - type: integer - flags: - type: integer - srcPort: - type: integer - type: object - udp: - properties: - dstPort: - type: integer - srcPort: - type: integer - type: object - type: object - type: object - dataplaneTag: - type: integer - phase: - type: string - reason: - type: string - results: - items: - properties: - node: - type: string - observations: - items: - properties: - action: - type: string - component: - type: string - componentInfo: - type: string - dstMAC: - type: string - networkPolicy: - type: string - pod: - type: string - translatedDstIP: - type: string - translatedSrcIP: - type: string - ttl: - type: integer - tunnelDstIP: - type: string - type: object - type: array - role: - type: string - timestamp: - type: integer - type: object - type: array - startTime: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antctl - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antrea-agent - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antrea-controller - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-antrea-clustergroups-edit -rules: -- apiGroups: - - crd.antrea.io - resources: - - clustergroups - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-antrea-clustergroups-view -rules: -- apiGroups: - - crd.antrea.io - resources: - - clustergroups - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-antrea-policies-edit -rules: -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-antrea-policies-view -rules: -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-traceflows-edit -rules: -- apiGroups: - - crd.antrea.io - resources: - - traceflows - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-traceflows-view -rules: -- apiGroups: - - crd.antrea.io - resources: - - traceflows - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antctl -rules: -- apiGroups: - - controlplane.antrea.io - resources: - - networkpolicies - - appliedtogroups - - addressgroups - verbs: - - get - - list -- apiGroups: - - stats.antrea.io - resources: - - networkpolicystats - - antreaclusternetworkpolicystats - - antreanetworkpolicystats - verbs: - - get - - list -- apiGroups: - - system.antrea.io - resources: - - controllerinfos - - agentinfos - verbs: - - get -- apiGroups: - - system.antrea.io - resources: - - supportbundles - verbs: - - get - - post -- apiGroups: - - system.antrea.io - resources: - - supportbundles/download - verbs: - - get -- nonResourceURLs: - - /agentinfo - - /addressgroups - - /appliedtogroups - - /loglevel - - /networkpolicies - - /ovsflows - - /ovstracing - - /podinterfaces - - /featuregates - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-agent -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - pods/status - verbs: - - patch -- apiGroups: - - "" - resources: - - endpoints - - services - - namespaces - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - services/status - verbs: - - update -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - antreaagentinfos - verbs: - - get - - create - - update - - delete -- apiGroups: - - controlplane.antrea.io - resources: - - networkpolicies - - appliedtogroups - - addressgroups - verbs: - - get - - watch - - list -- apiGroups: - - controlplane.antrea.io - resources: - - egressgroups - verbs: - - get - - watch - - list -- apiGroups: - - controlplane.antrea.io - resources: - - nodestatssummaries - verbs: - - create -- apiGroups: - - controlplane.antrea.io - resources: - - networkpolicies/status - verbs: - - create - - get -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - "" - resourceNames: - - extension-apiserver-authentication - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - antrea-ca - resources: - - configmaps - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - traceflows - - traceflows/status - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - egresses - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - egresses/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - externalippools - - ippools - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - ippools/status - verbs: - - update -- apiGroups: - - k8s.cni.cncf.io - resources: - - network-attachment-definitions - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-cluster-identity-reader -rules: -- apiGroups: - - "" - resourceNames: - - antrea-cluster-identity - resources: - - configmaps - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-controller -rules: -- apiGroups: - - "" - resources: - - pods - - services - - namespaces - - configmaps - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - watch - - list - - patch -- apiGroups: - - "" - resources: - - services/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - watch - - list -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - update -- apiGroups: - - "" - resourceNames: - - extension-apiserver-authentication - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - antrea-ca - - antrea-cluster-identity - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create -- apiGroups: - - apiregistration.k8s.io - resourceNames: - - v1alpha1.stats.antrea.io - - v1beta1.system.antrea.io - - v1beta2.controlplane.antrea.io - resources: - - apiservices - verbs: - - get - - update -- apiGroups: - - apiregistration.k8s.io - resourceNames: - - v1beta1.networking.antrea.tanzu.vmware.com - - v1beta1.controlplane.antrea.tanzu.vmware.com - - v1alpha1.stats.antrea.tanzu.vmware.com - - v1beta1.system.antrea.tanzu.vmware.com - - v1beta2.controlplane.antrea.tanzu.vmware.com - resources: - - apiservices - verbs: - - delete -- apiGroups: - - admissionregistration.k8s.io - resourceNames: - - labelsmutator.antrea.io - - crdmutator.antrea.io - - crdvalidator.antrea.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - get - - update -- apiGroups: - - crd.antrea.io - resources: - - antreacontrollerinfos - verbs: - - get - - create - - update - - delete -- apiGroups: - - crd.antrea.io - resources: - - antreaagentinfos - verbs: - - list - - delete -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies/status - - networkpolicies/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - tiers - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - traceflows - - traceflows/status - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - externalentities - - clustergroups - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - clustergroups/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - egresses - verbs: - - get - - watch - - list - - update - - patch -- apiGroups: - - crd.antrea.io - resources: - - externalippools - - ippools - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - externalippools/status - - ippools/status - verbs: - - update -- apiGroups: - - apps - resources: - - statefulsets - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antctl - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antctl -subjects: -- kind: ServiceAccount - name: antctl - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antrea-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antrea-agent -subjects: -- kind: ServiceAccount - name: antrea-agent - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antrea-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antrea-controller -subjects: -- kind: ServiceAccount - name: antrea-controller - namespace: kube-system ---- -apiVersion: v1 data: antrea-agent.conf: | # FeatureGates is a map of feature names to bools that enable or disable experimental features. @@ -2790,19 +100,18 @@ data: # Name of the OpenVSwitch bridge antrea-agent will create and use. # Make sure it doesn't conflict with your existing OpenVSwitch bridges. - #ovsBridge: br-int + ovsBridge: "br-int" # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: # - system # - netdev # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run - # OVS in userspace mode (not fully supported yet). Userspace mode requires the tun device driver to - # be available. + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. #ovsDatapathType: system # Name of the interface antrea-agent will create and use for host <--> pod communication. # Make sure it doesn't conflict with your existing interfaces. - #hostGateway: antrea-gw0 + hostGateway: "antrea-gw0" # Determines how traffic is encapsulated. It has the following options: # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network @@ -2814,14 +123,14 @@ data: # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod # IPAM and connectivity to the primary CNI. # - #trafficEncapMode: encap + trafficEncapMode: "encap" # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never # performs SNAT and this option will be ignored; for other modes it must be set to false. - #noSNAT: false + noSNAT: false # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, # this option will not take effect. Supported values: @@ -2830,7 +139,7 @@ data: # - gre # - stt # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). - tunnelType: gre + tunnelType: "gre" # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. # It has the following options: @@ -2840,7 +149,7 @@ data: # the PSK value must be passed to Antrea Agent through an environment # variable: ANTREA_IPSEC_PSK. # - wireGuard: Enable WireGuard for tunnel traffic encryption. - trafficEncryptionMode: ipsec + trafficEncryptionMode: "ipsec" # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are @@ -2849,40 +158,40 @@ data: # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. - #enableBridgingMode: false + enableBridgingMode: false # Default MTU to use for the host gateway interface and the network interface of each Pod. # If omitted, antrea-agent will discover the MTU of the Node's primary interface and # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). - #defaultMTU: 0 + defaultMTU: 0 # wireGuard specifies WireGuard related configurations. wireGuard: - # The port for WireGuard to receive traffic. - # port: 51820 + # The port for WireGuard to receive traffic. + port: 51820 egress: - # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. - # exceptCIDRs: [] + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. - #serviceCIDR: 10.96.0.0/12 + serviceCIDR: "" # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. # No default value for this field. - #serviceCIDRv6: + serviceCIDRv6: "" # The port for the antrea-agent APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-agent` container must be set to the same value. - #apiPort: 10350 + apiPort: 10350 # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - #enablePrometheusMetrics: true + enablePrometheusMetrics: true # Provide the IPFIX collector address as a string with format :[][:]. # HOST can either be the DNS name or the IP of the Flow Collector. For example, @@ -2893,50 +202,50 @@ data: # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and # "udp" protocols. "tls" is used for securing communication between flow exporter and # flow aggregator. - #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" # Provide flow poll interval as a duration string. This determines how often the # flow exporter dumps connections from the conntrack module. Flow poll interval # should be greater than or equal to 1s (one second). # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #flowPollInterval: "5s" + flowPollInterval: "5s" # Provide the active flow export timeout, which is the timeout after which a flow # record is sent to the collector for active flows. Thus, for flows with a continuous # stream of packets, a flow record will be exported to the collector once the elapsed # time since the last export event is equal to the value of this timeout. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #activeFlowExportTimeout: "30s" + activeFlowExportTimeout: "5s" # Provide the idle flow export timeout, which is the timeout after which a flow # record is sent to the collector for idle flows. A flow is considered idle if no # packet matching this flow has been observed since the last export event. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #idleFlowExportTimeout: "15s" + idleFlowExportTimeout: "15s" nodePortLocal: # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature # gate is also enabled (which is the default). - # enable: false + enable: false # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port # from that range will be assigned whenever a Pod's container defines a specific port to be exposed # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic # directed to that port will be forwarded to the Pod. - # portRange: 61000-62000 + portRange: "61000-62000" # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. - #kubeAPIServerOverride: "" + kubeAPIServerOverride: "" # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. - #tlsCipherSuites: + tlsCipherSuites: "" # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - #tlsMinVersion: + tlsMinVersion: "" # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. # If there are multiple IP addresses configured on the interface, the first one is used. The IP @@ -2945,11 +254,11 @@ data: # 1. transportInterface # 2. transportInterfaceCIDRs # 3. The Node IP - #transportInterface: + transportInterface: "" # The names of the interfaces on Nodes that are used to forward multicast traffic. # Defaults to transport interface if not set. - #multicastInterfaces: [] + multicastInterfaces: # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The @@ -2958,7 +267,7 @@ data: # 1. transportInterface # 2. transportInterfaceCIDRs # 3. The Node IP - #transportInterfaceCIDRs: [,] + transportInterfaceCIDRs: # Option antreaProxy contains AntreaProxy related configuration options. antreaProxy: @@ -2967,22 +276,22 @@ data: # feature to be enabled. # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access # apiserver directly. - #proxyAll: false + proxyAll: false # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. # Note that the option is only valid when proxyAll is true. - #nodePortAddresses: [] + nodePortAddresses: # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name # with Namespace (e.g. kube-system/kube-dns) - #skipServices: [] + skipServices: # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. - #proxyLoadBalancerIPs: true + proxyLoadBalancerIPs: true antrea-cni.conflist: | { "cniVersion":"0.3.0", @@ -2993,11 +302,13 @@ data: "ipam": { "type": "host-local" } - }, + } + , { "type": "portmap", "capabilities": {"portMappings": true} - }, + } + , { "type": "bandwidth", "capabilities": {"bandwidth": true} @@ -3035,703 +346,3353 @@ data: # The port for the antrea-controller APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-controller` container must be set to the same value. - #apiPort: 10349 + apiPort: 10349 # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - #enablePrometheusMetrics: true + enablePrometheusMetrics: true # Indicates whether to use auto-generated self-signed TLS certificate. - # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: # ca.crt: # tls.crt: # tls.key: - # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the - # antrea-controller container. - #selfSignedCert: true + selfSignedCert: true # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. - #tlsCipherSuites: + tlsCipherSuites: "" # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - #tlsMinVersion: + tlsMinVersion: "" nodeIPAM: - # Enable the integrated Node IPAM controller within the Antrea controller. - # enableNodeIPAM: false - - # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. - # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. - # Value ignored when enableNodeIPAM is false. - # clusterCIDRs: [] - - # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. - # Value ignored when enableNodeIPAM is false. - # serviceCIDR: - # serviceCIDRv6: - - # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. - # nodeCIDRMaskSizeIPv4: 24 - - # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. - # nodeCIDRMaskSizeIPv6: 64 -kind: ConfigMap + # Enable the integrated Node IPAM controller within the Antrea controller. + enableNodeIPAM: false + # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. + # Value ignored when enableNodeIPAM is false. + clusterCIDRs: + # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + serviceCIDR: "" + serviceCIDRv6: "" + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + nodeCIDRMaskSizeIPv4: 24 + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + nodeCIDRMaskSizeIPv6: 64 +--- +# Source: antrea/templates/crds/antreaagentinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: antreaagentinfos.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai +--- +# Source: antrea/templates/crds/antreacontrollerinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: antreacontrollerinfos.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci +--- +# Source: antrea/templates/crds/clustergroup.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clustergroups.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + - name: v1alpha3 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: "antrea" + namespace: "kube-system" + path: "/convert/clustergroup" + scope: Cluster + names: + plural: clustergroups + singular: clustergroup + kind: ClusterGroup + shortNames: + - cg +--- +# Source: antrea/templates/crds/clusternetworkpolicy.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusternetworkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this ClusterNetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + fqdn: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + toServices: + type: array + items: + type: object + required: + - name + - namespace + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + scope: Cluster + names: + plural: clusternetworkpolicies + singular: clusternetworkpolicy + kind: ClusterNetworkPolicy + shortNames: + - acnp +--- +# Source: antrea/templates/crds/egress.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: egresses.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - appliedTo + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + egressIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + externalIPPool: + type: string + status: + type: object + properties: + egressNode: + type: string + additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + subresources: + status: {} + scope: Cluster + names: + plural: egresses + singular: egress + kind: Egress + shortNames: + - eg +--- +# Source: antrea/templates/crds/externalentity.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalentities.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + endpoints: + type: array + items: + type: object + properties: + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + name: + type: string + externalNode: + type: string + - name: v1alpha1 + served: false + storage: false + schema: + openAPIV3Schema: + type: object + scope: Namespaced + names: + plural: externalentities + singular: externalentity + kind: ExternalEntity + shortNames: + - ee +--- +# Source: antrea/templates/crds/externalippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + scope: Cluster + names: + plural: externalippools + singular: externalippool + kind: ExternalIPPool + shortNames: + - eip +--- +# Source: antrea/templates/crds/ippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + required: + - ipVersion + - ipRanges + type: object + properties: + ipVersion: + type: integer + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + vlan: + type: integer + minimum: 0 + maximum: 4094 + type: object + type: array + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + name: + type: string + namespace: + type: string + containerID: + type: string + ifName: + type: string + type: object + statefulSet: + properties: + name: + type: string + namespace: + type: string + index: + type: integer + type: object + type: object + phase: + type: string + type: object + type: array + type: object + subresources: + status: {} + scope: Cluster + names: + plural: ippools + singular: ippool + kind: IPPool + shortNames: + - ipp +--- +# Source: antrea/templates/crds/networkpolicy.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this Antrea NetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + fqdn: + type: string + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + toServices: + type: array + items: + type: object + required: + - name + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + scope: Namespaced + names: + plural: networkpolicies + singular: networkpolicy + kind: NetworkPolicy + shortNames: + - anp +--- +# Source: antrea/templates/crds/tier.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tiers.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Priority + type: integer + description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + required: + - priority + type: object + properties: + priority: + type: integer + minimum: 0 + maximum: 255 + description: + type: string + scope: Cluster + names: + plural: tiers + singular: tier + kind: Tier + shortNames: + - tr +--- +# Source: antrea/templates/crds/traceflow.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: traceflows.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.phase + description: The phase of the Traceflow. + name: Phase + type: string + - jsonPath: .spec.source.pod + description: The name of the source Pod. + name: Source-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.pod + description: The name of the destination Pod. + name: Destination-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.ip + description: The IP address of the destination. + name: Destination-IP + type: string + priority: 10 + - jsonPath: .spec.liveTraffic + description: Trace live traffic. + name: Live-Traffic + type: boolean + priority: 10 + - jsonPath: .spec.droppedOnly + description: Capture only the dropped packet. + name: Dropped-Only + type: boolean + priority: 10 + - jsonPath: .spec.timeout + description: Timeout in seconds. + name: Timeout + type: integer + priority: 10 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + properties: + source: + type: object + properties: + pod: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + destination: + type: object + properties: + pod: + type: string + service: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + packet: + type: object + properties: + ipHeader: + type: object + properties: + srcIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + protocol: + type: integer + ttl: + type: integer + flags: + type: integer + ipv6Header: + type: object + properties: + srcIP: + type: string + format: ipv6 + nextHeader: + type: integer + hopLimit: + type: integer + transportHeader: + type: object + properties: + icmp: + type: object + properties: + id: + type: integer + sequence: + type: integer + udp: + type: object + properties: + srcPort: + type: integer + dstPort: + type: integer + tcp: + type: object + properties: + srcPort: + type: integer + dstPort: + type: integer + flags: + type: integer + liveTraffic: + type: boolean + droppedOnly: + type: boolean + timeout: + type: integer + status: + type: object + properties: + reason: + type: string + dataplaneTag: + type: integer + phase: + type: string + startTime: + type: string + results: + type: array + items: + type: object + properties: + node: + type: string + role: + type: string + timestamp: + type: integer + observations: + type: array + items: + type: object + properties: + component: + type: string + componentInfo: + type: string + action: + type: string + pod: + type: string + dstMAC: + type: string + networkPolicy: + type: string + ttl: + type: integer + translatedSrcIP: + type: string + translatedDstIP: + type: string + tunnelDstIP: + type: string + capturedPacket: + properties: + srcIP: + type: string + dstIP: + type: string + length: + type: integer + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + transportHeader: + properties: + tcp: + properties: + dstPort: + type: integer + srcPort: + type: integer + flags: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + type: object + type: object + subresources: + status: {} + scope: Cluster + names: + plural: traceflows + singular: traceflow + kind: Traceflow + shortNames: + - tf +--- +# Source: antrea/templates/agent/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-agent + labels: + app: antrea +rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - pods/status + verbs: + - patch + - apiGroups: + - "" + resources: + - endpoints + - services + - namespaces + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - services/status + verbs: + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete + - apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list + - apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list + - apiGroups: + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create + - apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + # This is the content of built-in role kube-system/extension-apiserver-authentication-reader. + # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will + # have permission issue after bumping up apiserver library to a version that supports dynamic authentication. + # See https://github.com/kubernetes/kubernetes/pull/85375 + # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on + # the extension-apiserver-authentication role. + - apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - antrea-ca + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - egresses/status + verbs: + - update + - apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - ippools/status + verbs: + - update + - apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - get + - list + - watch +--- +# Source: antrea/templates/antctl/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antctl + labels: + app: antrea +rules: + - apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list + - apiGroups: + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list + - apiGroups: + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get + - apiGroups: + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post + - apiGroups: + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get + - nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + - /featuregates + verbs: + - get +--- +# Source: antrea/templates/cluster-identity-reader/clusterrolebinding.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-cluster-identity-reader + labels: + app: antrea +rules: + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - antrea-cluster-identity + verbs: + - get +--- +# Source: antrea/templates/controller/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-controller + labels: + app: antrea +rules: + - apiGroups: + - "" + resources: + - pods + - services + - namespaces + - configmaps + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch + - apiGroups: + - "" + resources: + - services/status + verbs: + - update + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update + # This is the content of built-in role kube-system/extension-apiserver-authentication-reader. + # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-controller) will + # have permission issue after bumping up apiserver library to a version that supports dynamic authentication. + # See https://github.com/kubernetes/kubernetes/pull/85375 + # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on + # the extension-apiserver-authentication role. + - apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - antrea-ca + - antrea-cluster-identity + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + resourceNames: + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + verbs: + - get + - update + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + resourceNames: + - v1beta1.networking.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + verbs: + - delete + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + resourceNames: + # always give permissions for labelsmutator.antrea.io, even when the + # feature is disabled, to avoid errors in antrea-controller when updating + # the CA cert. + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + verbs: + - get + - update + - apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete + - apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete + - apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update + - apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update + - apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - update + - patch + - apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - externalippools/status + - ippools/status + verbs: + - update + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: + name: aggregate-antrea-policies-edit labels: app: antrea - name: antrea-config-29g6gtcctg - namespace: kube-system + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clusternetworkpolicies", "networkpolicies"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] --- -apiVersion: v1 -kind: Secret +# Source: antrea/templates/crds-rbac/clusterroles.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: antrea-ipsec - namespace: kube-system -stringData: - psk: changeme -type: Opaque + name: aggregate-antrea-policies-view + labels: + app: antrea + # Add these permissions to the "view" default role. + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clusternetworkpolicies", "networkpolicies"] + verbs: ["get", "list", "watch"] --- -apiVersion: v1 -kind: Service +# Source: antrea/templates/crds-rbac/clusterroles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-traceflows-edit + labels: + app: antrea + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["traceflows"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 metadata: + name: aggregate-traceflows-view + labels: + app: antrea + # Add these permissions to the "view" default role. + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["traceflows"] + verbs: ["get", "list", "watch"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-antrea-clustergroups-edit + labels: + app: antrea + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clustergroups"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: aggregate-antrea-clustergroups-view + labels: + app: antrea + # Add these permissions to the "view" default role. + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clustergroups"] + verbs: ["get", "list", "watch"] +--- +# Source: antrea/templates/agent/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-agent + labels: + app: antrea +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: + - kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +# Source: antrea/templates/antctl/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: + - kind: ServiceAccount + name: antctl + namespace: kube-system +--- +# Source: antrea/templates/controller/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-controller labels: app: antrea +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: + - kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +# Source: antrea/templates/controller/service.yaml +apiVersion: v1 +kind: Service +metadata: name: antrea namespace: kube-system + labels: + app: antrea spec: ports: - - port: 443 - protocol: TCP - targetPort: api + - port: 443 + protocol: TCP + targetPort: api selector: app: antrea component: antrea-controller --- +# Source: antrea/templates/agent/daemonset.yaml apiVersion: apps/v1 -kind: Deployment +kind: DaemonSet metadata: + name: antrea-agent + namespace: kube-system labels: app: antrea - component: antrea-controller + component: antrea-agent +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + updateStrategy: + type: RollingUpdate + template: + metadata: + annotations: + # Starting with v1.21, Kubernetes supports default container annotation. + # Using "kubectl logs/exec/attach/cp" doesn't have to specify "-c antrea-agent" when troubleshooting. + kubectl.kubernetes.io/default-container: antrea-agent + # Automatically restart Pods with a RollingUpdate if the ConfigMap changes + # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments + checksum/config: cd2d943645be405d6af5e8fa14fa9949ec82ac09efde547e6536fcd5b3013b5d + checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4 + labels: + app: antrea + component: antrea-agent + spec: + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + priorityClassName: system-node-critical + nodeSelector: + kubernetes.io/os: linux + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + serviceAccountName: antrea-agent + initContainers: + - name: install-cni + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 100m + command: ["install_cni"] + securityContext: + capabilities: + add: + # SYS_MODULE is required to load the OVS kernel module. + - SYS_MODULE + env: + # SKIP_CNI_BINARIES takes in values as a comma separated list of + # binaries that need to be skipped for installation, e.g. "portmap, bandwidth". + - name: SKIP_CNI_BINARIES + value: "" + volumeMounts: + - name: antrea-config + mountPath: /etc/antrea/antrea-cni.conflist + subPath: antrea-cni.conflist + readOnly: true + - name: host-cni-conf + mountPath: /host/etc/cni/net.d + - name: host-cni-bin + mountPath: /host/opt/cni/bin + # For loading the OVS kernel module. + - name: host-lib-modules + mountPath: /lib/modules + readOnly: true + # For changing the default permissions of the run directory. + - name: host-var-run-antrea + mountPath: /var/run/antrea + containers: + - name: antrea-agent + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + command: ["antrea-agent"] + # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).- + args: + - "--config=/etc/antrea/antrea-agent.conf" + - "--logtostderr=false" + - "--log_dir=/var/log/antrea" + - "--alsologtostderr" + - "--log_file_max_size=100" + - "--log_file_max_num=4" + env: + # Provide pod and node information for clusterinformation CRD. + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # Pre-shared key for IPsec IKE. + - name: ANTREA_IPSEC_PSK + valueFrom: + secretKeyRef: + name: antrea-ipsec + key: psk + resources: + requests: + cpu: 200m + ports: + - containerPort: 10350 + name: api + protocol: TCP + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + readinessProbe: + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + # In large-scale clusters, it may take up to 40~50 seconds for the antrea-agent to reconnect to the antrea + # Service after the antrea-controller restarts. The antrea-agent shouldn't be reported as NotReady in this + # scenario, otherwise the DaemonSet controller would restart all agents at once, as opposed to performing a + # rolling update. Set failureThreshold to 8 so it can tolerate 70s of disconnection. + failureThreshold: 8 + securityContext: + # antrea-agent needs to perform sysctl configuration. + privileged: true + volumeMounts: + - name: antrea-config + mountPath: /etc/antrea/antrea-agent.conf + subPath: antrea-agent.conf + readOnly: true + - name: host-var-run-antrea + mountPath: /var/run/antrea + - name: host-var-run-antrea + mountPath: /var/run/openvswitch + subPath: openvswitch + # host-local IPAM stores allocated IP addresses as files in /var/lib/cni/networks/$NETWORK_NAME. + # Mount a sub-directory of host-var-run-antrea to it for persistence of IP allocation. + - name: host-var-run-antrea + mountPath: /var/lib/cni + subPath: cni + # We need to mount both the /proc directory and the /var/run/netns directory so that + # antrea-agent can open the network namespace path when setting up Pod + # networking. Different container runtimes may use /proc or /var/run/netns when invoking + # the CNI commands. Docker uses /proc and containerd uses /var/run/netns. + - name: host-var-log-antrea + mountPath: /var/log/antrea + - name: host-proc + mountPath: /host/proc + readOnly: true + - name: host-var-run-netns + mountPath: /host/var/run/netns + readOnly: true + # When a container is created, a mount point for the network namespace is added under + # /var/run/netns on the host, which needs to be propagated to the antrea-agent container. + mountPropagation: HostToContainer + - name: xtables-lock + mountPath: /run/xtables.lock + - name: antrea-ovs + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 200m + command: ["start_ovs"] + args: + - "--log_file_max_size=100" + - "--log_file_max_num=4" + securityContext: + # capabilities required by OVS daemons + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + livenessProbe: + exec: + # docker CRI doesn't honor timeoutSeconds, add "timeout" to the command as a workaround. + # https://github.com/kubernetes/kubernetes/issues/51901 + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + initialDelaySeconds: 5 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 5 + volumeMounts: + - name: host-var-run-antrea + mountPath: /var/run/openvswitch + subPath: openvswitch + - name: host-var-log-antrea + mountPath: /var/log/openvswitch + subPath: openvswitch + - name: antrea-ipsec + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 50m + command: ["start_ovs_ipsec"] + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 5 container_liveness_probe ovs-ipsec + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + capabilities: + add: + - NET_ADMIN + volumeMounts: + - name: host-var-run-antrea + mountPath: /var/run/openvswitch + subPath: openvswitch + - name: host-var-log-antrea + mountPath: /var/log/openvswitch + subPath: openvswitch + - name: host-var-log-antrea + mountPath: /var/log/strongswan + subPath: strongswan + volumes: + - name: antrea-config + configMap: + name: antrea-config + - name: host-cni-conf + hostPath: + path: /etc/cni/net.d + - name: host-cni-bin + hostPath: + path: /opt/cni/bin + - name: host-proc + hostPath: + path: /proc + - name: host-var-run-netns + hostPath: + path: /var/run/netns + - name: host-var-run-antrea + hostPath: + path: /var/run/antrea + # we use subPath to create run subdirectories for different component (e.g. OVS) and + # subPath requires the base volume to exist + type: DirectoryOrCreate + - name: host-var-log-antrea + hostPath: + path: /var/log/antrea + # we use subPath to create logging subdirectories for different component (e.g. OVS) + type: DirectoryOrCreate + - name: host-lib-modules + hostPath: + path: /lib/modules + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate +--- +# Source: antrea/templates/controller/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: name: antrea-controller namespace: kube-system + labels: + app: antrea + component: antrea-controller spec: - replicas: 1 + strategy: + # Ensure the existing Pod is stopped before the new one is created. + type: Recreate selector: matchLabels: app: antrea component: antrea-controller - strategy: - type: Recreate + replicas: 1 template: metadata: + annotations: + # Automatically restart Pod if the ConfigMap changes + # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments + checksum/config: cd2d943645be405d6af5e8fa14fa9949ec82ac09efde547e6536fcd5b3013b5d labels: app: antrea component: antrea-controller spec: - containers: - - args: - - --config - - /etc/antrea/antrea-controller.conf - - --logtostderr=false - - --log_dir=/var/log/antrea - - --alsologtostderr - - --log_file_max_size=100 - - --log_file_max_num=4 - - --v=0 - command: - - antrea-controller - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: SERVICEACCOUNT_NAME - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ANTREA_CONFIG_MAP_NAME - value: antrea-config-29g6gtcctg - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 5 - httpGet: - host: localhost - path: /livez - port: api - scheme: HTTPS - periodSeconds: 10 - timeoutSeconds: 5 - name: antrea-controller - ports: - - containerPort: 10349 - name: api - protocol: TCP - readinessProbe: - failureThreshold: 5 - httpGet: - host: localhost - path: /readyz - port: api - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - requests: - cpu: 200m - volumeMounts: - - mountPath: /etc/antrea/antrea-controller.conf - name: antrea-config - readOnly: true - subPath: antrea-controller.conf - - mountPath: /var/run/antrea/antrea-controller-tls - name: antrea-controller-tls - - mountPath: /var/log/antrea - name: host-var-log-antrea - hostNetwork: true nodeSelector: kubernetes.io/os: linux + hostNetwork: true priorityClassName: system-cluster-critical - serviceAccountName: antrea-controller tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + serviceAccountName: antrea-controller + containers: + - name: antrea-controller + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 200m + command: ["antrea-controller"] + # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work). + args: + - "--config=/etc/antrea/antrea-controller.conf" + - "--logtostderr=false" + - "--log_dir=/var/log/antrea" + - "--alsologtostderr" + - "--log_file_max_size=100" + - "--log_file_max_num=4" + env: + # Provide pod and node information for clusterinformation CRD. + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # Provide ServiceAccount name for validation webhook. + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ANTREA_CONFIG_MAP_NAME + value: antrea-config + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + livenessProbe: + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + volumeMounts: + - name: antrea-config + mountPath: /etc/antrea/antrea-controller.conf + subPath: antrea-controller.conf + readOnly: true + - name: antrea-controller-tls + mountPath: /var/run/antrea/antrea-controller-tls + - name: host-var-log-antrea + mountPath: /var/log/antrea volumes: - - configMap: - name: antrea-config-29g6gtcctg - name: antrea-config - - name: antrea-controller-tls - secret: - defaultMode: 256 - optional: true - secretName: antrea-controller-tls - - hostPath: - path: /var/log/antrea - type: DirectoryOrCreate - name: host-var-log-antrea + - name: antrea-config + configMap: + name: antrea-config + # Make it optional as we only read it when selfSignedCert=false. + - name: antrea-controller-tls + secret: + secretName: antrea-controller-tls + defaultMode: 0400 + optional: true + - name: host-var-log-antrea + hostPath: + path: /var/log/antrea + type: DirectoryOrCreate --- +# Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: + name: v1beta2.controlplane.antrea.io labels: app: antrea - name: v1alpha1.stats.antrea.io spec: - group: stats.antrea.io + group: controlplane.antrea.io groupPriorityMinimum: 100 + version: v1beta2 + versionPriority: 100 service: name: antrea namespace: kube-system - version: v1alpha1 - versionPriority: 100 --- +# Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: + name: v1beta1.system.antrea.io labels: app: antrea - name: v1beta1.system.antrea.io spec: group: system.antrea.io groupPriorityMinimum: 100 + version: v1beta1 + versionPriority: 100 service: name: antrea namespace: kube-system - version: v1beta1 - versionPriority: 100 --- +# Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: + name: v1alpha1.stats.antrea.io labels: app: antrea - name: v1beta2.controlplane.antrea.io spec: - group: controlplane.antrea.io + group: stats.antrea.io groupPriorityMinimum: 100 + version: v1alpha1 + versionPriority: 100 service: name: antrea namespace: kube-system - version: v1beta2 - versionPriority: 100 ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - app: antrea - component: antrea-agent - name: antrea-agent - namespace: kube-system -spec: - selector: - matchLabels: - app: antrea - component: antrea-agent - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: antrea-agent - labels: - app: antrea - component: antrea-agent - spec: - containers: - - command: - - start_ovs_ipsec - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /bin/sh - - -c - - timeout 5 container_liveness_probe ovs-ipsec - initialDelaySeconds: 5 - periodSeconds: 5 - name: antrea-ipsec - resources: - requests: - cpu: 50m - securityContext: - capabilities: - add: - - NET_ADMIN - volumeMounts: - - mountPath: /var/run/openvswitch - name: host-var-run-antrea - subPath: openvswitch - - mountPath: /var/log/openvswitch - name: host-var-log-antrea - subPath: openvswitch - - mountPath: /var/log/strongswan - name: host-var-log-antrea - subPath: strongswan - - args: - - --config - - /etc/antrea/antrea-agent.conf - - --logtostderr=false - - --log_dir=/var/log/antrea - - --alsologtostderr - - --log_file_max_size=100 - - --log_file_max_num=4 - - --v=0 - command: - - antrea-agent - env: - - name: ANTREA_IPSEC_PSK - valueFrom: - secretKeyRef: - key: psk - name: antrea-ipsec - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /bin/sh - - -c - - container_liveness_probe agent - failureThreshold: 5 - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - name: antrea-agent - ports: - - containerPort: 10350 - name: api - protocol: TCP - readinessProbe: - failureThreshold: 8 - httpGet: - host: localhost - path: /readyz - port: api - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - requests: - cpu: 200m - securityContext: - privileged: true - volumeMounts: - - mountPath: /etc/antrea/antrea-agent.conf - name: antrea-config - readOnly: true - subPath: antrea-agent.conf - - mountPath: /var/run/antrea - name: host-var-run-antrea - - mountPath: /var/run/openvswitch - name: host-var-run-antrea - subPath: openvswitch - - mountPath: /var/lib/cni - name: host-var-run-antrea - subPath: cni - - mountPath: /var/log/antrea - name: host-var-log-antrea - - mountPath: /host/proc - name: host-proc - readOnly: true - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: host-var-run-netns - readOnly: true - - mountPath: /run/xtables.lock - name: xtables-lock - - args: - - --log_file_max_size=100 - - --log_file_max_num=4 - command: - - start_ovs - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /bin/sh - - -c - - timeout 10 container_liveness_probe ovs - failureThreshold: 5 - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 10 - name: antrea-ovs - resources: - requests: - cpu: 200m - securityContext: - capabilities: - add: - - SYS_NICE - - NET_ADMIN - - SYS_ADMIN - - IPC_LOCK - volumeMounts: - - mountPath: /var/run/openvswitch - name: host-var-run-antrea - subPath: openvswitch - - mountPath: /var/log/openvswitch - name: host-var-log-antrea - subPath: openvswitch - dnsPolicy: ClusterFirstWithHostNet - hostNetwork: true - initContainers: - - command: - - install_cni - env: - - name: SKIP_CNI_BINARIES - value: "" - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - name: install-cni - resources: - requests: - cpu: 100m - securityContext: - capabilities: - add: - - SYS_MODULE - volumeMounts: - - mountPath: /etc/antrea/antrea-cni.conflist - name: antrea-config - readOnly: true - subPath: antrea-cni.conflist - - mountPath: /host/etc/cni/net.d - name: host-cni-conf - - mountPath: /host/opt/cni/bin - name: host-cni-bin - - mountPath: /lib/modules - name: host-lib-modules - readOnly: true - - mountPath: /var/run/antrea - name: host-var-run-antrea - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-node-critical - serviceAccountName: antrea-agent - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - volumes: - - configMap: - name: antrea-config-29g6gtcctg - name: antrea-config - - hostPath: - path: /etc/cni/net.d - name: host-cni-conf - - hostPath: - path: /opt/cni/bin - name: host-cni-bin - - hostPath: - path: /proc - name: host-proc - - hostPath: - path: /var/run/netns - name: host-var-run-netns - - hostPath: - path: /var/run/antrea - type: DirectoryOrCreate - name: host-var-run-antrea - - hostPath: - path: /var/log/antrea - type: DirectoryOrCreate - name: host-var-log-antrea - - hostPath: - path: /lib/modules - name: host-lib-modules - - hostPath: - path: /run/xtables.lock - type: FileOrCreate - name: xtables-lock - updateStrategy: - type: RollingUpdate --- +# Source: antrea/templates/webhooks/mutating/crdmutator.yaml apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: + name: "crdmutator.antrea.io" labels: app: antrea - name: crdmutator.antrea.io webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /mutate/acnp - name: acnpmutator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusternetworkpolicies - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /mutate/anp - name: anpmutator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - networkpolicies - scope: Namespaced - sideEffects: None - timeoutSeconds: 5 + - name: "acnpmutator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/mutate/acnp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["clusternetworkpolicies"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "anpmutator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/mutate/anp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["networkpolicies"] + scope: "Namespaced" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 --- +# Source: antrea/templates/webhooks/validating/crdvalidator.yaml apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: + name: "crdvalidator.antrea.io" labels: app: antrea - name: crdvalidator.antrea.io webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/tier - name: tiervalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - - DELETE - resources: - - tiers - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/acnp - name: acnpvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusternetworkpolicies - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/anp - name: anpvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - networkpolicies - scope: Namespaced - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/clustergroup - name: clustergroupvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha3 - - v1alpha2 - operations: - - CREATE - - UPDATE - resources: - - clustergroups - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/externalippool - name: externalippoolvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - UPDATE - resources: - - externalippools - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/egress - name: egressvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - CREATE - - UPDATE - resources: - - egresses - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/ippool - name: ippoolvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - CREATE - - UPDATE - - DELETE - resources: - - ippools - scope: Cluster - sideEffects: None - timeoutSeconds: 5 + - name: "tiervalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/tier" + rules: + - operations: ["CREATE", "UPDATE", "DELETE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["tiers"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "acnpvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/acnp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["clusternetworkpolicies"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "anpvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/anp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["networkpolicies"] + scope: "Namespaced" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "clustergroupvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/clustergroup" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha3", "v1alpha2"] + resources: ["clustergroups"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "externalippoolvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/externalippool" + rules: + - operations: ["UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["externalippools"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "egressvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/egress" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["egresses"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "ippoolvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/ippool" + rules: + - operations: ["CREATE", "UPDATE", "DELETE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["ippools"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index 9501d9275ef..f58da9f625e 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -1,2742 +1,39 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +--- +# Source: antrea/templates/agent/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount metadata: + name: antrea-agent + namespace: kube-system labels: app: antrea - name: antreaagentinfos.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: AntreaAgentInfo - plural: antreaagentinfos - shortNames: - - aai - singular: antreaagentinfo - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Health status of this Agent - jsonPath: .agentConditions[?(@.type=='AgentHealthy')].status - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: .agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime - name: Last Heartbeat - type: date - - description: Version of this Agent - jsonPath: .version - name: Version - priority: 1 - type: string - - description: Node on which this Agent is running - jsonPath: .nodeRef.name - name: Node - priority: 1 - type: string - - description: Number of local Pods managed by this Agent - jsonPath: .localPodNum - name: Num Pods - priority: 2 - type: integer - - description: Subnets used by this Agent for Pod IPAM - jsonPath: .nodeSubnets - name: Subnets - priority: 2 - type: string - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true --- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +# Source: antrea/templates/antctl/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount metadata: + name: antctl + namespace: kube-system labels: app: antrea - name: antreacontrollerinfos.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: AntreaControllerInfo - plural: antreacontrollerinfos - shortNames: - - aci - singular: antreacontrollerinfo - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Health status of the Controller - jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].status - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime - name: Last Heartbeat - type: date - - description: Version of the Controller - jsonPath: .version - name: Version - priority: 1 - type: string - - description: Number of Agents connected to the Controller - jsonPath: .connectedAgentNum - name: Connected Agents - priority: 1 - type: integer - - description: Node on which the Controller is running - jsonPath: .nodeRef.name - name: Node - priority: 1 - type: string - - description: Number of Network Policies computed by Controller - jsonPath: .networkPolicyControllerInfo.networkPolicyNum - name: Num Network Policies - priority: 2 - type: integer - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true --- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +# Source: antrea/templates/controller/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount metadata: + name: antrea-controller + namespace: kube-system labels: app: antrea - name: clustergroups.crd.antrea.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: antrea - namespace: kube-system - path: /convert/clustergroup - conversionReviewVersions: - - v1 - - v1beta1 - group: crd.antrea.io - names: - kind: ClusterGroup - plural: clustergroups - shortNames: - - cg - singular: clustergroup - scope: Cluster - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - childGroups: - items: - type: string - type: array - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - ipBlocks: - items: - properties: - cidr: - format: cidr - type: string - type: object - type: array - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceReference: - properties: - name: - type: string - namespace: - type: string - type: object - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - type: string - status: - type: string - type: - type: string - type: object - type: array - type: object - type: object - served: true - storage: false - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - properties: - childGroups: - items: - type: string - type: array - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlocks: - items: - properties: - cidr: - format: cidr - type: string - type: object - type: array - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceReference: - properties: - name: - type: string - namespace: - type: string - type: object - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - type: string - status: - type: string - type: - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} --- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition +# Source: antrea/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap metadata: + name: antrea-config + namespace: kube-system labels: app: antrea - name: clusternetworkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ClusterNetworkPolicy - plural: clusternetworkpolicies - shortNames: - - acnp - singular: clusternetworkpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The Tier to which this ClusterNetworkPolicy belongs to. - jsonPath: .spec.tier - name: Tier - type: string - - description: The Priority of this ClusterNetworkPolicy relative to other policies. - format: float - jsonPath: .spec.priority - name: Priority - type: number - - description: The total number of Nodes that should realize the NetworkPolicy. - format: int32 - jsonPath: .status.desiredNodesRealized - name: Desired Nodes - type: number - - description: The number of Nodes that have realized the NetworkPolicy. - format: int32 - jsonPath: .status.currentNodesRealized - name: Current Nodes - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - egress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - enableLogging: - type: boolean - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - to: - items: - properties: - fqdn: - type: string - group: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - properties: - match: - type: string - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - toServices: - items: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: array - required: - - action - type: object - type: array - ingress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - enableLogging: - type: boolean - from: - items: - properties: - group: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - properties: - match: - enum: - - Self - type: string - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceAccount: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - type: array - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - required: - - action - type: object - type: array - priority: - format: float - maximum: 10000 - minimum: 1 - type: number - tier: - type: string - required: - - priority - type: object - status: - properties: - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - observedGeneration: - type: integer - phase: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: egresses.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Egress - plural: egresses - shortNames: - - eg - singular: egress - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Specifies the SNAT IP address for the selected workloads. - jsonPath: .spec.egressIP - name: EgressIP - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - anyOf: - - required: - - egressIP - - required: - - externalIPPool - properties: - appliedTo: - properties: - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - egressIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - externalIPPool: - type: string - required: - - appliedTo - type: object - status: - properties: - egressNode: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalentities.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalEntity - plural: externalentities - shortNames: - - ee - singular: externalentity - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - endpoints: - items: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - name: - type: string - type: object - type: array - externalNode: - type: string - ports: - items: - properties: - name: - type: string - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - served: false - storage: false ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalippools.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalIPPool - plural: externalippools - shortNames: - - eip - singular: externalippool - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - ipRanges: - items: - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - type: object - type: array - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - required: - - ipRanges - - nodeSelector - type: object - status: - properties: - usage: - properties: - total: - type: integer - used: - type: integer - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: ippools.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: IPPool - plural: ippools - shortNames: - - ipp - singular: ippool - scope: Cluster - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - ipRanges: - items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength - properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - vlan: - maximum: 4094 - minimum: 0 - type: integer - type: object - type: array - ipVersion: - type: integer - required: - - ipVersion - - ipRanges - type: object - status: - properties: - ipAddresses: - items: - properties: - ipAddress: - type: string - owner: - properties: - pod: - properties: - containerID: - type: string - ifName: - type: string - name: - type: string - namespace: - type: string - type: object - statefulSet: - properties: - index: - type: integer - name: - type: string - namespace: - type: string - type: object - type: object - phase: - type: string - type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: networkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: NetworkPolicy - plural: networkpolicies - shortNames: - - anp - singular: networkpolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The Tier to which this Antrea NetworkPolicy belongs to. - jsonPath: .spec.tier - name: Tier - type: string - - description: The Priority of this Antrea NetworkPolicy relative to other policies. - format: float - jsonPath: .spec.priority - name: Priority - type: number - - description: The total number of Nodes that should realize the NetworkPolicy. - format: int32 - jsonPath: .status.desiredNodesRealized - name: Desired Nodes - type: number - - description: The number of Nodes that have realized the NetworkPolicy. - format: int32 - jsonPath: .status.currentNodesRealized - name: Current Nodes - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - egress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - to: - items: - properties: - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - fqdn: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - toServices: - items: - properties: - name: - type: string - namespace: - type: string - required: - - name - type: object - type: array - required: - - action - type: object - type: array - ingress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - from: - items: - properties: - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - enum: - - TCP - - UDP - - SCTP - type: string - type: object - type: array - required: - - action - type: object - type: array - priority: - format: float - maximum: 10000 - minimum: 1 - type: number - tier: - type: string - required: - - priority - type: object - status: - properties: - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - observedGeneration: - type: integer - phase: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: tiers.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Tier - plural: tiers - shortNames: - - tr - singular: tier - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The Priority of this Tier relative to other Tiers. - jsonPath: .spec.priority - name: Priority - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - description: - type: string - priority: - maximum: 255 - minimum: 0 - type: integer - required: - - priority - type: object - type: object - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: traceflows.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Traceflow - plural: traceflows - shortNames: - - tf - singular: traceflow - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The phase of the Traceflow. - jsonPath: .status.phase - name: Phase - type: string - - description: The name of the source Pod. - jsonPath: .spec.source.pod - name: Source-Pod - priority: 10 - type: string - - description: The name of the destination Pod. - jsonPath: .spec.destination.pod - name: Destination-Pod - priority: 10 - type: string - - description: The IP address of the destination. - jsonPath: .spec.destination.ip - name: Destination-IP - priority: 10 - type: string - - description: Trace live traffic. - jsonPath: .spec.liveTraffic - name: Live-Traffic - priority: 10 - type: boolean - - description: Capture only the dropped packet. - jsonPath: .spec.droppedOnly - name: Dropped-Only - priority: 10 - type: boolean - - description: Timeout in seconds. - jsonPath: .spec.timeout - name: Timeout - priority: 10 - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - destination: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - namespace: - type: string - pod: - type: string - service: - type: string - type: object - droppedOnly: - type: boolean - liveTraffic: - type: boolean - packet: - properties: - ipHeader: - properties: - flags: - type: integer - protocol: - type: integer - srcIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - ttl: - type: integer - type: object - ipv6Header: - properties: - hopLimit: - type: integer - nextHeader: - type: integer - srcIP: - format: ipv6 - type: string - type: object - transportHeader: - properties: - icmp: - properties: - id: - type: integer - sequence: - type: integer - type: object - tcp: - properties: - dstPort: - type: integer - flags: - type: integer - srcPort: - type: integer - type: object - udp: - properties: - dstPort: - type: integer - srcPort: - type: integer - type: object - type: object - type: object - source: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - namespace: - type: string - pod: - type: string - type: object - timeout: - type: integer - type: object - status: - properties: - capturedPacket: - properties: - dstIP: - type: string - ipHeader: - properties: - flags: - type: integer - protocol: - type: integer - ttl: - type: integer - type: object - ipv6Header: - properties: - hopLimit: - type: integer - nextHeader: - type: integer - type: object - length: - type: integer - srcIP: - type: string - transportHeader: - properties: - icmp: - properties: - id: - type: integer - sequence: - type: integer - type: object - tcp: - properties: - dstPort: - type: integer - flags: - type: integer - srcPort: - type: integer - type: object - udp: - properties: - dstPort: - type: integer - srcPort: - type: integer - type: object - type: object - type: object - dataplaneTag: - type: integer - phase: - type: string - reason: - type: string - results: - items: - properties: - node: - type: string - observations: - items: - properties: - action: - type: string - component: - type: string - componentInfo: - type: string - dstMAC: - type: string - networkPolicy: - type: string - pod: - type: string - translatedDstIP: - type: string - translatedSrcIP: - type: string - ttl: - type: integer - tunnelDstIP: - type: string - type: object - type: array - role: - type: string - timestamp: - type: integer - type: object - type: array - startTime: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antctl - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antrea-agent - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antrea-controller - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-antrea-clustergroups-edit -rules: -- apiGroups: - - crd.antrea.io - resources: - - clustergroups - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-antrea-clustergroups-view -rules: -- apiGroups: - - crd.antrea.io - resources: - - clustergroups - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-antrea-policies-edit -rules: -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-antrea-policies-view -rules: -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-traceflows-edit -rules: -- apiGroups: - - crd.antrea.io - resources: - - traceflows - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-traceflows-view -rules: -- apiGroups: - - crd.antrea.io - resources: - - traceflows - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antctl -rules: -- apiGroups: - - controlplane.antrea.io - resources: - - networkpolicies - - appliedtogroups - - addressgroups - verbs: - - get - - list -- apiGroups: - - stats.antrea.io - resources: - - networkpolicystats - - antreaclusternetworkpolicystats - - antreanetworkpolicystats - verbs: - - get - - list -- apiGroups: - - system.antrea.io - resources: - - controllerinfos - - agentinfos - verbs: - - get -- apiGroups: - - system.antrea.io - resources: - - supportbundles - verbs: - - get - - post -- apiGroups: - - system.antrea.io - resources: - - supportbundles/download - verbs: - - get -- nonResourceURLs: - - /agentinfo - - /addressgroups - - /appliedtogroups - - /loglevel - - /networkpolicies - - /ovsflows - - /ovstracing - - /podinterfaces - - /featuregates - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-agent -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - pods/status - verbs: - - patch -- apiGroups: - - "" - resources: - - endpoints - - services - - namespaces - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - services/status - verbs: - - update -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - antreaagentinfos - verbs: - - get - - create - - update - - delete -- apiGroups: - - controlplane.antrea.io - resources: - - networkpolicies - - appliedtogroups - - addressgroups - verbs: - - get - - watch - - list -- apiGroups: - - controlplane.antrea.io - resources: - - egressgroups - verbs: - - get - - watch - - list -- apiGroups: - - controlplane.antrea.io - resources: - - nodestatssummaries - verbs: - - create -- apiGroups: - - controlplane.antrea.io - resources: - - networkpolicies/status - verbs: - - create - - get -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - "" - resourceNames: - - extension-apiserver-authentication - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - antrea-ca - resources: - - configmaps - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - traceflows - - traceflows/status - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - egresses - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - egresses/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - externalippools - - ippools - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - ippools/status - verbs: - - update -- apiGroups: - - k8s.cni.cncf.io - resources: - - network-attachment-definitions - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-cluster-identity-reader -rules: -- apiGroups: - - "" - resourceNames: - - antrea-cluster-identity - resources: - - configmaps - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-controller -rules: -- apiGroups: - - "" - resources: - - pods - - services - - namespaces - - configmaps - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - watch - - list - - patch -- apiGroups: - - "" - resources: - - services/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - watch - - list -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - update -- apiGroups: - - "" - resourceNames: - - extension-apiserver-authentication - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - antrea-ca - - antrea-cluster-identity - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create -- apiGroups: - - apiregistration.k8s.io - resourceNames: - - v1alpha1.stats.antrea.io - - v1beta1.system.antrea.io - - v1beta2.controlplane.antrea.io - resources: - - apiservices - verbs: - - get - - update -- apiGroups: - - apiregistration.k8s.io - resourceNames: - - v1beta1.networking.antrea.tanzu.vmware.com - - v1beta1.controlplane.antrea.tanzu.vmware.com - - v1alpha1.stats.antrea.tanzu.vmware.com - - v1beta1.system.antrea.tanzu.vmware.com - - v1beta2.controlplane.antrea.tanzu.vmware.com - resources: - - apiservices - verbs: - - delete -- apiGroups: - - admissionregistration.k8s.io - resourceNames: - - labelsmutator.antrea.io - - crdmutator.antrea.io - - crdvalidator.antrea.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - get - - update -- apiGroups: - - crd.antrea.io - resources: - - antreacontrollerinfos - verbs: - - get - - create - - update - - delete -- apiGroups: - - crd.antrea.io - resources: - - antreaagentinfos - verbs: - - list - - delete -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies/status - - networkpolicies/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - tiers - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - traceflows - - traceflows/status - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - externalentities - - clustergroups - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - clustergroups/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - egresses - verbs: - - get - - watch - - list - - update - - patch -- apiGroups: - - crd.antrea.io - resources: - - externalippools - - ippools - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - externalippools/status - - ippools/status - verbs: - - update -- apiGroups: - - apps - resources: - - statefulsets - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antctl - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antctl -subjects: -- kind: ServiceAccount - name: antctl - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antrea-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antrea-agent -subjects: -- kind: ServiceAccount - name: antrea-agent - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antrea-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antrea-controller -subjects: -- kind: ServiceAccount - name: antrea-controller - namespace: kube-system ---- -apiVersion: v1 data: antrea-agent.conf: | # FeatureGates is a map of feature names to bools that enable or disable experimental features. @@ -2790,19 +87,18 @@ data: # Name of the OpenVSwitch bridge antrea-agent will create and use. # Make sure it doesn't conflict with your existing OpenVSwitch bridges. - #ovsBridge: br-int + ovsBridge: "br-int" # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: # - system # - netdev # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run - # OVS in userspace mode (not fully supported yet). Userspace mode requires the tun device driver to - # be available. + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. #ovsDatapathType: system # Name of the interface antrea-agent will create and use for host <--> pod communication. # Make sure it doesn't conflict with your existing interfaces. - #hostGateway: antrea-gw0 + hostGateway: "antrea-gw0" # Determines how traffic is encapsulated. It has the following options: # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network @@ -2814,14 +110,14 @@ data: # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod # IPAM and connectivity to the primary CNI. # - #trafficEncapMode: encap + trafficEncapMode: "encap" # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never # performs SNAT and this option will be ignored; for other modes it must be set to false. - #noSNAT: false + noSNAT: false # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, # this option will not take effect. Supported values: @@ -2830,7 +126,7 @@ data: # - gre # - stt # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). - #tunnelType: geneve + tunnelType: "geneve" # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. # It has the following options: @@ -2840,7 +136,7 @@ data: # the PSK value must be passed to Antrea Agent through an environment # variable: ANTREA_IPSEC_PSK. # - wireGuard: Enable WireGuard for tunnel traffic encryption. - #trafficEncryptionMode: none + trafficEncryptionMode: "none" # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are @@ -2849,40 +145,40 @@ data: # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. - #enableBridgingMode: false + enableBridgingMode: false # Default MTU to use for the host gateway interface and the network interface of each Pod. # If omitted, antrea-agent will discover the MTU of the Node's primary interface and # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). - #defaultMTU: 0 + defaultMTU: 0 # wireGuard specifies WireGuard related configurations. wireGuard: - # The port for WireGuard to receive traffic. - # port: 51820 + # The port for WireGuard to receive traffic. + port: 51820 egress: - # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. - # exceptCIDRs: [] + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. - #serviceCIDR: 10.96.0.0/12 + serviceCIDR: "" # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. # No default value for this field. - #serviceCIDRv6: + serviceCIDRv6: "" # The port for the antrea-agent APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-agent` container must be set to the same value. - #apiPort: 10350 + apiPort: 10350 # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - #enablePrometheusMetrics: true + enablePrometheusMetrics: true # Provide the IPFIX collector address as a string with format :[][:]. # HOST can either be the DNS name or the IP of the Flow Collector. For example, @@ -2893,50 +189,50 @@ data: # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and # "udp" protocols. "tls" is used for securing communication between flow exporter and # flow aggregator. - #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" # Provide flow poll interval as a duration string. This determines how often the # flow exporter dumps connections from the conntrack module. Flow poll interval # should be greater than or equal to 1s (one second). # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #flowPollInterval: "5s" + flowPollInterval: "5s" # Provide the active flow export timeout, which is the timeout after which a flow # record is sent to the collector for active flows. Thus, for flows with a continuous # stream of packets, a flow record will be exported to the collector once the elapsed # time since the last export event is equal to the value of this timeout. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #activeFlowExportTimeout: "30s" + activeFlowExportTimeout: "5s" # Provide the idle flow export timeout, which is the timeout after which a flow # record is sent to the collector for idle flows. A flow is considered idle if no # packet matching this flow has been observed since the last export event. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #idleFlowExportTimeout: "15s" + idleFlowExportTimeout: "15s" nodePortLocal: # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature # gate is also enabled (which is the default). - # enable: false + enable: false # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port # from that range will be assigned whenever a Pod's container defines a specific port to be exposed # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic # directed to that port will be forwarded to the Pod. - # portRange: 61000-62000 + portRange: "61000-62000" # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. - #kubeAPIServerOverride: "" + kubeAPIServerOverride: "" # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. - #tlsCipherSuites: + tlsCipherSuites: "" # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - #tlsMinVersion: + tlsMinVersion: "" # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. # If there are multiple IP addresses configured on the interface, the first one is used. The IP @@ -2945,11 +241,11 @@ data: # 1. transportInterface # 2. transportInterfaceCIDRs # 3. The Node IP - #transportInterface: + transportInterface: "" # The names of the interfaces on Nodes that are used to forward multicast traffic. # Defaults to transport interface if not set. - #multicastInterfaces: [] + multicastInterfaces: # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The @@ -2958,7 +254,7 @@ data: # 1. transportInterface # 2. transportInterfaceCIDRs # 3. The Node IP - #transportInterfaceCIDRs: [,] + transportInterfaceCIDRs: # Option antreaProxy contains AntreaProxy related configuration options. antreaProxy: @@ -2967,22 +263,22 @@ data: # feature to be enabled. # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access # apiserver directly. - #proxyAll: false + proxyAll: false # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. # Note that the option is only valid when proxyAll is true. - #nodePortAddresses: [] + nodePortAddresses: # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name # with Namespace (e.g. kube-system/kube-dns) - #skipServices: [] + skipServices: # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. - #proxyLoadBalancerIPs: true + proxyLoadBalancerIPs: true antrea-cni.conflist: | { "cniVersion":"0.3.0", @@ -2993,11 +289,13 @@ data: "ipam": { "type": "host-local" } - }, + } + , { "type": "portmap", "capabilities": {"portMappings": true} - }, + } + , { "type": "bandwidth", "capabilities": {"bandwidth": true} @@ -3035,659 +333,3317 @@ data: # The port for the antrea-controller APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-controller` container must be set to the same value. - #apiPort: 10349 + apiPort: 10349 # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - #enablePrometheusMetrics: true + enablePrometheusMetrics: true # Indicates whether to use auto-generated self-signed TLS certificate. - # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: # ca.crt: # tls.crt: # tls.key: - # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the - # antrea-controller container. - #selfSignedCert: true + selfSignedCert: true # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. - #tlsCipherSuites: + tlsCipherSuites: "" # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - #tlsMinVersion: + tlsMinVersion: "" nodeIPAM: - # Enable the integrated Node IPAM controller within the Antrea controller. - # enableNodeIPAM: false - - # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. - # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. - # Value ignored when enableNodeIPAM is false. - # clusterCIDRs: [] - - # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. - # Value ignored when enableNodeIPAM is false. - # serviceCIDR: - # serviceCIDRv6: - - # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. - # nodeCIDRMaskSizeIPv4: 24 - - # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. - # nodeCIDRMaskSizeIPv6: 64 -kind: ConfigMap + # Enable the integrated Node IPAM controller within the Antrea controller. + enableNodeIPAM: false + # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. + # Value ignored when enableNodeIPAM is false. + clusterCIDRs: + # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + serviceCIDR: "" + serviceCIDRv6: "" + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + nodeCIDRMaskSizeIPv4: 24 + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + nodeCIDRMaskSizeIPv6: 64 +--- +# Source: antrea/templates/crds/antreaagentinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: antreaagentinfos.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai +--- +# Source: antrea/templates/crds/antreacontrollerinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: antreacontrollerinfos.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci +--- +# Source: antrea/templates/crds/clustergroup.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clustergroups.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + - name: v1alpha3 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: "antrea" + namespace: "kube-system" + path: "/convert/clustergroup" + scope: Cluster + names: + plural: clustergroups + singular: clustergroup + kind: ClusterGroup + shortNames: + - cg +--- +# Source: antrea/templates/crds/clusternetworkpolicy.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusternetworkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this ClusterNetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + fqdn: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + toServices: + type: array + items: + type: object + required: + - name + - namespace + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + scope: Cluster + names: + plural: clusternetworkpolicies + singular: clusternetworkpolicy + kind: ClusterNetworkPolicy + shortNames: + - acnp +--- +# Source: antrea/templates/crds/egress.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: egresses.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - appliedTo + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + egressIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + externalIPPool: + type: string + status: + type: object + properties: + egressNode: + type: string + additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + subresources: + status: {} + scope: Cluster + names: + plural: egresses + singular: egress + kind: Egress + shortNames: + - eg +--- +# Source: antrea/templates/crds/externalentity.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalentities.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + endpoints: + type: array + items: + type: object + properties: + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + name: + type: string + externalNode: + type: string + - name: v1alpha1 + served: false + storage: false + schema: + openAPIV3Schema: + type: object + scope: Namespaced + names: + plural: externalentities + singular: externalentity + kind: ExternalEntity + shortNames: + - ee +--- +# Source: antrea/templates/crds/externalippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + scope: Cluster + names: + plural: externalippools + singular: externalippool + kind: ExternalIPPool + shortNames: + - eip +--- +# Source: antrea/templates/crds/ippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + required: + - ipVersion + - ipRanges + type: object + properties: + ipVersion: + type: integer + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + vlan: + type: integer + minimum: 0 + maximum: 4094 + type: object + type: array + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + name: + type: string + namespace: + type: string + containerID: + type: string + ifName: + type: string + type: object + statefulSet: + properties: + name: + type: string + namespace: + type: string + index: + type: integer + type: object + type: object + phase: + type: string + type: object + type: array + type: object + subresources: + status: {} + scope: Cluster + names: + plural: ippools + singular: ippool + kind: IPPool + shortNames: + - ipp +--- +# Source: antrea/templates/crds/networkpolicy.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this Antrea NetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP and REJECT values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + fqdn: + type: string + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + toServices: + type: array + items: + type: object + required: + - name + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + scope: Namespaced + names: + plural: networkpolicies + singular: networkpolicy + kind: NetworkPolicy + shortNames: + - anp +--- +# Source: antrea/templates/crds/tier.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tiers.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Priority + type: integer + description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + required: + - priority + type: object + properties: + priority: + type: integer + minimum: 0 + maximum: 255 + description: + type: string + scope: Cluster + names: + plural: tiers + singular: tier + kind: Tier + shortNames: + - tr +--- +# Source: antrea/templates/crds/traceflow.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: traceflows.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.phase + description: The phase of the Traceflow. + name: Phase + type: string + - jsonPath: .spec.source.pod + description: The name of the source Pod. + name: Source-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.pod + description: The name of the destination Pod. + name: Destination-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.ip + description: The IP address of the destination. + name: Destination-IP + type: string + priority: 10 + - jsonPath: .spec.liveTraffic + description: Trace live traffic. + name: Live-Traffic + type: boolean + priority: 10 + - jsonPath: .spec.droppedOnly + description: Capture only the dropped packet. + name: Dropped-Only + type: boolean + priority: 10 + - jsonPath: .spec.timeout + description: Timeout in seconds. + name: Timeout + type: integer + priority: 10 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + properties: + source: + type: object + properties: + pod: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + destination: + type: object + properties: + pod: + type: string + service: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + packet: + type: object + properties: + ipHeader: + type: object + properties: + srcIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + protocol: + type: integer + ttl: + type: integer + flags: + type: integer + ipv6Header: + type: object + properties: + srcIP: + type: string + format: ipv6 + nextHeader: + type: integer + hopLimit: + type: integer + transportHeader: + type: object + properties: + icmp: + type: object + properties: + id: + type: integer + sequence: + type: integer + udp: + type: object + properties: + srcPort: + type: integer + dstPort: + type: integer + tcp: + type: object + properties: + srcPort: + type: integer + dstPort: + type: integer + flags: + type: integer + liveTraffic: + type: boolean + droppedOnly: + type: boolean + timeout: + type: integer + status: + type: object + properties: + reason: + type: string + dataplaneTag: + type: integer + phase: + type: string + startTime: + type: string + results: + type: array + items: + type: object + properties: + node: + type: string + role: + type: string + timestamp: + type: integer + observations: + type: array + items: + type: object + properties: + component: + type: string + componentInfo: + type: string + action: + type: string + pod: + type: string + dstMAC: + type: string + networkPolicy: + type: string + ttl: + type: integer + translatedSrcIP: + type: string + translatedDstIP: + type: string + tunnelDstIP: + type: string + capturedPacket: + properties: + srcIP: + type: string + dstIP: + type: string + length: + type: integer + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + transportHeader: + properties: + tcp: + properties: + dstPort: + type: integer + srcPort: + type: integer + flags: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + type: object + type: object + subresources: + status: {} + scope: Cluster + names: + plural: traceflows + singular: traceflow + kind: Traceflow + shortNames: + - tf +--- +# Source: antrea/templates/agent/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-agent + labels: + app: antrea +rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - pods/status + verbs: + - patch + - apiGroups: + - "" + resources: + - endpoints + - services + - namespaces + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - services/status + verbs: + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete + - apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list + - apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list + - apiGroups: + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create + - apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + # This is the content of built-in role kube-system/extension-apiserver-authentication-reader. + # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will + # have permission issue after bumping up apiserver library to a version that supports dynamic authentication. + # See https://github.com/kubernetes/kubernetes/pull/85375 + # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on + # the extension-apiserver-authentication role. + - apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - antrea-ca + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - egresses/status + verbs: + - update + - apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - ippools/status + verbs: + - update + - apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - get + - list + - watch +--- +# Source: antrea/templates/antctl/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antctl + labels: + app: antrea +rules: + - apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list + - apiGroups: + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list + - apiGroups: + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get + - apiGroups: + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post + - apiGroups: + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get + - nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + - /featuregates + verbs: + - get +--- +# Source: antrea/templates/cluster-identity-reader/clusterrolebinding.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-cluster-identity-reader + labels: + app: antrea +rules: + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - antrea-cluster-identity + verbs: + - get +--- +# Source: antrea/templates/controller/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-controller + labels: + app: antrea +rules: + - apiGroups: + - "" + resources: + - pods + - services + - namespaces + - configmaps + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch + - apiGroups: + - "" + resources: + - services/status + verbs: + - update + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update + # This is the content of built-in role kube-system/extension-apiserver-authentication-reader. + # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-controller) will + # have permission issue after bumping up apiserver library to a version that supports dynamic authentication. + # See https://github.com/kubernetes/kubernetes/pull/85375 + # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on + # the extension-apiserver-authentication role. + - apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - antrea-ca + - antrea-cluster-identity + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + resourceNames: + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + verbs: + - get + - update + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + resourceNames: + - v1beta1.networking.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + verbs: + - delete + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + resourceNames: + # always give permissions for labelsmutator.antrea.io, even when the + # feature is disabled, to avoid errors in antrea-controller when updating + # the CA cert. + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + verbs: + - get + - update + - apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete + - apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete + - apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update + - apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update + - apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - update + - patch + - apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - externalippools/status + - ippools/status + verbs: + - update + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: + name: aggregate-antrea-policies-edit labels: app: antrea - name: antrea-config-bb75mkktfg - namespace: kube-system + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clusternetworkpolicies", "networkpolicies"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] --- -apiVersion: v1 -kind: Service +# Source: antrea/templates/crds-rbac/clusterroles.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: aggregate-antrea-policies-view + labels: + app: antrea + # Add these permissions to the "view" default role. + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clusternetworkpolicies", "networkpolicies"] + verbs: ["get", "list", "watch"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-traceflows-edit + labels: + app: antrea + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["traceflows"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 metadata: + name: aggregate-traceflows-view + labels: + app: antrea + # Add these permissions to the "view" default role. + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["traceflows"] + verbs: ["get", "list", "watch"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-antrea-clustergroups-edit + labels: + app: antrea + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clustergroups"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: aggregate-antrea-clustergroups-view + labels: + app: antrea + # Add these permissions to the "view" default role. + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clustergroups"] + verbs: ["get", "list", "watch"] +--- +# Source: antrea/templates/agent/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-agent + labels: + app: antrea +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: + - kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +# Source: antrea/templates/antctl/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: + - kind: ServiceAccount + name: antctl + namespace: kube-system +--- +# Source: antrea/templates/controller/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-controller labels: app: antrea +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: + - kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +# Source: antrea/templates/controller/service.yaml +apiVersion: v1 +kind: Service +metadata: name: antrea namespace: kube-system + labels: + app: antrea spec: ports: - - port: 443 - protocol: TCP - targetPort: api + - port: 443 + protocol: TCP + targetPort: api selector: app: antrea component: antrea-controller --- +# Source: antrea/templates/agent/daemonset.yaml apiVersion: apps/v1 -kind: Deployment +kind: DaemonSet metadata: + name: antrea-agent + namespace: kube-system labels: app: antrea - component: antrea-controller + component: antrea-agent +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + updateStrategy: + type: RollingUpdate + template: + metadata: + annotations: + # Starting with v1.21, Kubernetes supports default container annotation. + # Using "kubectl logs/exec/attach/cp" doesn't have to specify "-c antrea-agent" when troubleshooting. + kubectl.kubernetes.io/default-container: antrea-agent + # Automatically restart Pods with a RollingUpdate if the ConfigMap changes + # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments + checksum/config: 4605b6a5554073a43eacb44136f408bc84bd5fb4e91c95db3ddbf47add0e36d0 + labels: + app: antrea + component: antrea-agent + spec: + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + priorityClassName: system-node-critical + nodeSelector: + kubernetes.io/os: linux + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + serviceAccountName: antrea-agent + initContainers: + - name: install-cni + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 100m + command: ["install_cni"] + securityContext: + capabilities: + add: + # SYS_MODULE is required to load the OVS kernel module. + - SYS_MODULE + env: + # SKIP_CNI_BINARIES takes in values as a comma separated list of + # binaries that need to be skipped for installation, e.g. "portmap, bandwidth". + - name: SKIP_CNI_BINARIES + value: "" + volumeMounts: + - name: antrea-config + mountPath: /etc/antrea/antrea-cni.conflist + subPath: antrea-cni.conflist + readOnly: true + - name: host-cni-conf + mountPath: /host/etc/cni/net.d + - name: host-cni-bin + mountPath: /host/opt/cni/bin + # For loading the OVS kernel module. + - name: host-lib-modules + mountPath: /lib/modules + readOnly: true + # For changing the default permissions of the run directory. + - name: host-var-run-antrea + mountPath: /var/run/antrea + containers: + - name: antrea-agent + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + command: ["antrea-agent"] + # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).- + args: + - "--config=/etc/antrea/antrea-agent.conf" + - "--logtostderr=false" + - "--log_dir=/var/log/antrea" + - "--alsologtostderr" + - "--log_file_max_size=100" + - "--log_file_max_num=4" + env: + # Provide pod and node information for clusterinformation CRD. + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + requests: + cpu: 200m + ports: + - containerPort: 10350 + name: api + protocol: TCP + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + readinessProbe: + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + # In large-scale clusters, it may take up to 40~50 seconds for the antrea-agent to reconnect to the antrea + # Service after the antrea-controller restarts. The antrea-agent shouldn't be reported as NotReady in this + # scenario, otherwise the DaemonSet controller would restart all agents at once, as opposed to performing a + # rolling update. Set failureThreshold to 8 so it can tolerate 70s of disconnection. + failureThreshold: 8 + securityContext: + # antrea-agent needs to perform sysctl configuration. + privileged: true + volumeMounts: + - name: antrea-config + mountPath: /etc/antrea/antrea-agent.conf + subPath: antrea-agent.conf + readOnly: true + - name: host-var-run-antrea + mountPath: /var/run/antrea + - name: host-var-run-antrea + mountPath: /var/run/openvswitch + subPath: openvswitch + # host-local IPAM stores allocated IP addresses as files in /var/lib/cni/networks/$NETWORK_NAME. + # Mount a sub-directory of host-var-run-antrea to it for persistence of IP allocation. + - name: host-var-run-antrea + mountPath: /var/lib/cni + subPath: cni + # We need to mount both the /proc directory and the /var/run/netns directory so that + # antrea-agent can open the network namespace path when setting up Pod + # networking. Different container runtimes may use /proc or /var/run/netns when invoking + # the CNI commands. Docker uses /proc and containerd uses /var/run/netns. + - name: host-var-log-antrea + mountPath: /var/log/antrea + - name: host-proc + mountPath: /host/proc + readOnly: true + - name: host-var-run-netns + mountPath: /host/var/run/netns + readOnly: true + # When a container is created, a mount point for the network namespace is added under + # /var/run/netns on the host, which needs to be propagated to the antrea-agent container. + mountPropagation: HostToContainer + - name: xtables-lock + mountPath: /run/xtables.lock + - name: antrea-ovs + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 200m + command: ["start_ovs"] + args: + - "--log_file_max_size=100" + - "--log_file_max_num=4" + securityContext: + # capabilities required by OVS daemons + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + livenessProbe: + exec: + # docker CRI doesn't honor timeoutSeconds, add "timeout" to the command as a workaround. + # https://github.com/kubernetes/kubernetes/issues/51901 + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + initialDelaySeconds: 5 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 5 + volumeMounts: + - name: host-var-run-antrea + mountPath: /var/run/openvswitch + subPath: openvswitch + - name: host-var-log-antrea + mountPath: /var/log/openvswitch + subPath: openvswitch + volumes: + - name: antrea-config + configMap: + name: antrea-config + - name: host-cni-conf + hostPath: + path: /etc/cni/net.d + - name: host-cni-bin + hostPath: + path: /opt/cni/bin + - name: host-proc + hostPath: + path: /proc + - name: host-var-run-netns + hostPath: + path: /var/run/netns + - name: host-var-run-antrea + hostPath: + path: /var/run/antrea + # we use subPath to create run subdirectories for different component (e.g. OVS) and + # subPath requires the base volume to exist + type: DirectoryOrCreate + - name: host-var-log-antrea + hostPath: + path: /var/log/antrea + # we use subPath to create logging subdirectories for different component (e.g. OVS) + type: DirectoryOrCreate + - name: host-lib-modules + hostPath: + path: /lib/modules + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate +--- +# Source: antrea/templates/controller/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: name: antrea-controller namespace: kube-system + labels: + app: antrea + component: antrea-controller spec: - replicas: 1 + strategy: + # Ensure the existing Pod is stopped before the new one is created. + type: Recreate selector: matchLabels: app: antrea component: antrea-controller - strategy: - type: Recreate + replicas: 1 template: metadata: + annotations: + # Automatically restart Pod if the ConfigMap changes + # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments + checksum/config: 4605b6a5554073a43eacb44136f408bc84bd5fb4e91c95db3ddbf47add0e36d0 labels: app: antrea component: antrea-controller spec: - containers: - - args: - - --config - - /etc/antrea/antrea-controller.conf - - --logtostderr=false - - --log_dir=/var/log/antrea - - --alsologtostderr - - --log_file_max_size=100 - - --log_file_max_num=4 - - --v=0 - command: - - antrea-controller - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: SERVICEACCOUNT_NAME - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ANTREA_CONFIG_MAP_NAME - value: antrea-config-bb75mkktfg - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 5 - httpGet: - host: localhost - path: /livez - port: api - scheme: HTTPS - periodSeconds: 10 - timeoutSeconds: 5 - name: antrea-controller - ports: - - containerPort: 10349 - name: api - protocol: TCP - readinessProbe: - failureThreshold: 5 - httpGet: - host: localhost - path: /readyz - port: api - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - requests: - cpu: 200m - volumeMounts: - - mountPath: /etc/antrea/antrea-controller.conf - name: antrea-config - readOnly: true - subPath: antrea-controller.conf - - mountPath: /var/run/antrea/antrea-controller-tls - name: antrea-controller-tls - - mountPath: /var/log/antrea - name: host-var-log-antrea - hostNetwork: true nodeSelector: kubernetes.io/os: linux + hostNetwork: true priorityClassName: system-cluster-critical - serviceAccountName: antrea-controller tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + serviceAccountName: antrea-controller + containers: + - name: antrea-controller + image: "projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 200m + command: ["antrea-controller"] + # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work). + args: + - "--config=/etc/antrea/antrea-controller.conf" + - "--logtostderr=false" + - "--log_dir=/var/log/antrea" + - "--alsologtostderr" + - "--log_file_max_size=100" + - "--log_file_max_num=4" + env: + # Provide pod and node information for clusterinformation CRD. + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # Provide ServiceAccount name for validation webhook. + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ANTREA_CONFIG_MAP_NAME + value: antrea-config + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + livenessProbe: + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + volumeMounts: + - name: antrea-config + mountPath: /etc/antrea/antrea-controller.conf + subPath: antrea-controller.conf + readOnly: true + - name: antrea-controller-tls + mountPath: /var/run/antrea/antrea-controller-tls + - name: host-var-log-antrea + mountPath: /var/log/antrea volumes: - - configMap: - name: antrea-config-bb75mkktfg - name: antrea-config - - name: antrea-controller-tls - secret: - defaultMode: 256 - optional: true - secretName: antrea-controller-tls - - hostPath: - path: /var/log/antrea - type: DirectoryOrCreate - name: host-var-log-antrea + - name: antrea-config + configMap: + name: antrea-config + # Make it optional as we only read it when selfSignedCert=false. + - name: antrea-controller-tls + secret: + secretName: antrea-controller-tls + defaultMode: 0400 + optional: true + - name: host-var-log-antrea + hostPath: + path: /var/log/antrea + type: DirectoryOrCreate --- +# Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: + name: v1beta2.controlplane.antrea.io labels: app: antrea - name: v1alpha1.stats.antrea.io spec: - group: stats.antrea.io + group: controlplane.antrea.io groupPriorityMinimum: 100 + version: v1beta2 + versionPriority: 100 service: name: antrea namespace: kube-system - version: v1alpha1 - versionPriority: 100 --- +# Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: + name: v1beta1.system.antrea.io labels: app: antrea - name: v1beta1.system.antrea.io spec: group: system.antrea.io groupPriorityMinimum: 100 + version: v1beta1 + versionPriority: 100 service: name: antrea namespace: kube-system - version: v1beta1 - versionPriority: 100 --- +# Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: + name: v1alpha1.stats.antrea.io labels: app: antrea - name: v1beta2.controlplane.antrea.io spec: - group: controlplane.antrea.io + group: stats.antrea.io groupPriorityMinimum: 100 + version: v1alpha1 + versionPriority: 100 service: name: antrea namespace: kube-system - version: v1beta2 - versionPriority: 100 ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - app: antrea - component: antrea-agent - name: antrea-agent - namespace: kube-system -spec: - selector: - matchLabels: - app: antrea - component: antrea-agent - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: antrea-agent - labels: - app: antrea - component: antrea-agent - spec: - containers: - - args: - - --config - - /etc/antrea/antrea-agent.conf - - --logtostderr=false - - --log_dir=/var/log/antrea - - --alsologtostderr - - --log_file_max_size=100 - - --log_file_max_num=4 - - --v=0 - command: - - antrea-agent - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /bin/sh - - -c - - container_liveness_probe agent - failureThreshold: 5 - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - name: antrea-agent - ports: - - containerPort: 10350 - name: api - protocol: TCP - readinessProbe: - failureThreshold: 8 - httpGet: - host: localhost - path: /readyz - port: api - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - requests: - cpu: 200m - securityContext: - privileged: true - volumeMounts: - - mountPath: /etc/antrea/antrea-agent.conf - name: antrea-config - readOnly: true - subPath: antrea-agent.conf - - mountPath: /var/run/antrea - name: host-var-run-antrea - - mountPath: /var/run/openvswitch - name: host-var-run-antrea - subPath: openvswitch - - mountPath: /var/lib/cni - name: host-var-run-antrea - subPath: cni - - mountPath: /var/log/antrea - name: host-var-log-antrea - - mountPath: /host/proc - name: host-proc - readOnly: true - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: host-var-run-netns - readOnly: true - - mountPath: /run/xtables.lock - name: xtables-lock - - args: - - --log_file_max_size=100 - - --log_file_max_num=4 - command: - - start_ovs - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /bin/sh - - -c - - timeout 10 container_liveness_probe ovs - failureThreshold: 5 - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 10 - name: antrea-ovs - resources: - requests: - cpu: 200m - securityContext: - capabilities: - add: - - SYS_NICE - - NET_ADMIN - - SYS_ADMIN - - IPC_LOCK - volumeMounts: - - mountPath: /var/run/openvswitch - name: host-var-run-antrea - subPath: openvswitch - - mountPath: /var/log/openvswitch - name: host-var-log-antrea - subPath: openvswitch - dnsPolicy: ClusterFirstWithHostNet - hostNetwork: true - initContainers: - - command: - - install_cni - env: - - name: SKIP_CNI_BINARIES - value: "" - image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest - imagePullPolicy: IfNotPresent - name: install-cni - resources: - requests: - cpu: 100m - securityContext: - capabilities: - add: - - SYS_MODULE - volumeMounts: - - mountPath: /etc/antrea/antrea-cni.conflist - name: antrea-config - readOnly: true - subPath: antrea-cni.conflist - - mountPath: /host/etc/cni/net.d - name: host-cni-conf - - mountPath: /host/opt/cni/bin - name: host-cni-bin - - mountPath: /lib/modules - name: host-lib-modules - readOnly: true - - mountPath: /var/run/antrea - name: host-var-run-antrea - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-node-critical - serviceAccountName: antrea-agent - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - volumes: - - configMap: - name: antrea-config-bb75mkktfg - name: antrea-config - - hostPath: - path: /etc/cni/net.d - name: host-cni-conf - - hostPath: - path: /opt/cni/bin - name: host-cni-bin - - hostPath: - path: /proc - name: host-proc - - hostPath: - path: /var/run/netns - name: host-var-run-netns - - hostPath: - path: /var/run/antrea - type: DirectoryOrCreate - name: host-var-run-antrea - - hostPath: - path: /var/log/antrea - type: DirectoryOrCreate - name: host-var-log-antrea - - hostPath: - path: /lib/modules - name: host-lib-modules - - hostPath: - path: /run/xtables.lock - type: FileOrCreate - name: xtables-lock - updateStrategy: - type: RollingUpdate --- +# Source: antrea/templates/webhooks/mutating/crdmutator.yaml apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: + name: "crdmutator.antrea.io" labels: app: antrea - name: crdmutator.antrea.io webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /mutate/acnp - name: acnpmutator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusternetworkpolicies - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /mutate/anp - name: anpmutator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - networkpolicies - scope: Namespaced - sideEffects: None - timeoutSeconds: 5 + - name: "acnpmutator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/mutate/acnp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["clusternetworkpolicies"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "anpmutator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/mutate/anp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["networkpolicies"] + scope: "Namespaced" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 --- +# Source: antrea/templates/webhooks/validating/crdvalidator.yaml apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: + name: "crdvalidator.antrea.io" labels: app: antrea - name: crdvalidator.antrea.io webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/tier - name: tiervalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - - DELETE - resources: - - tiers - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/acnp - name: acnpvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusternetworkpolicies - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/anp - name: anpvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - networkpolicies - scope: Namespaced - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/clustergroup - name: clustergroupvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha3 - - v1alpha2 - operations: - - CREATE - - UPDATE - resources: - - clustergroups - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/externalippool - name: externalippoolvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - UPDATE - resources: - - externalippools - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/egress - name: egressvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - CREATE - - UPDATE - resources: - - egresses - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/ippool - name: ippoolvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - CREATE - - UPDATE - - DELETE - resources: - - ippools - scope: Cluster - sideEffects: None - timeoutSeconds: 5 + - name: "tiervalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/tier" + rules: + - operations: ["CREATE", "UPDATE", "DELETE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["tiers"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "acnpvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/acnp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["clusternetworkpolicies"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "anpvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/anp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["networkpolicies"] + scope: "Namespaced" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "clustergroupvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/clustergroup" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha3", "v1alpha2"] + resources: ["clustergroups"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "externalippoolvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/externalippool" + rules: + - operations: ["UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["externalippools"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "egressvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/egress" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["egresses"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "ippoolvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/ippool" + rules: + - operations: ["CREATE", "UPDATE", "DELETE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["ippools"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 diff --git a/build/yamls/base/conf/antrea-controller.conf b/build/yamls/base/conf/antrea-controller.conf deleted file mode 100644 index 204153cb40c..00000000000 --- a/build/yamls/base/conf/antrea-controller.conf +++ /dev/null @@ -1,74 +0,0 @@ -# FeatureGates is a map of feature names to bools that enable or disable experimental features. -featureGates: -# Enable traceflow which provides packet tracing feature to diagnose network issue. -# Traceflow: true - -# Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins -# to define security policies which apply to the entire cluster, and Antrea NetworkPolicy -# feature that supports priorities, rule actions and externalEntities in the future. -# AntreaPolicy: true - -# Enable collecting and exposing NetworkPolicy statistics. -# NetworkPolicyStats: true - -# Enable controlling SNAT IPs of Pod egress traffic. -# Egress: true - -# Run Kubernetes NodeIPAMController with Antrea. -# NodeIPAM: false - -# Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the -# bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for -# IPAM when configuring secondary network interfaces with Multus. -# AntreaIPAM: false - -# Enable managing external IPs of Services of LoadBalancer type. -# ServiceExternalIP: false - -# The port for the antrea-controller APIServer to serve on. -# Note that if it's set to another value, the `containerPort` of the `api` port of the -# `antrea-controller` container must be set to the same value. -#apiPort: 10349 - -# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. -#enablePrometheusMetrics: true - -# Indicates whether to use auto-generated self-signed TLS certificate. -# If false, A Secret named "antrea-controller-tls" must be provided with the following keys: -# ca.crt: -# tls.crt: -# tls.key: -# And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the -# antrea-controller container. -#selfSignedCert: true - -# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. -# https://golang.org/pkg/crypto/tls/#pkg-constants -# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always -# prefer TLS1.3 Cipher Suites whenever possible. -#tlsCipherSuites: - -# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. -#tlsMinVersion: - -nodeIPAM: -# Enable the integrated Node IPAM controller within the Antrea controller. -# enableNodeIPAM: false - -# CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. -# The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. -# Value ignored when enableNodeIPAM is false. -# clusterCIDRs: [] - -# CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. -# Value ignored when enableNodeIPAM is false. -# serviceCIDR: -# serviceCIDRv6: - -# Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false -# or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. -# nodeCIDRMaskSizeIPv4: 24 - -# Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false -# or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. -# nodeCIDRMaskSizeIPv6: 64 diff --git a/build/yamls/base/controller.yml b/build/yamls/base/controller.yml deleted file mode 100644 index 7ce4a28da36..00000000000 --- a/build/yamls/base/controller.yml +++ /dev/null @@ -1,306 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: antrea -spec: - ports: - - port: 443 - protocol: TCP - targetPort: api - selector: - component: antrea-controller ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1beta2.controlplane.antrea.io -spec: - group: controlplane.antrea.io - groupPriorityMinimum: 100 - version: v1beta2 - versionPriority: 100 - service: - name: antrea - namespace: kube-system ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1beta1.system.antrea.io -spec: - group: system.antrea.io - groupPriorityMinimum: 100 - version: v1beta1 - versionPriority: 100 - service: - name: antrea - namespace: kube-system ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: "crdmutator.antrea.io" -webhooks: - - name: "acnpmutator.antrea.io" - clientConfig: - service: - name: "antrea" - namespace: "kube-system" - path: "/mutate/acnp" - rules: - - operations: ["CREATE", "UPDATE"] - apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha1"] - resources: ["clusternetworkpolicies"] - scope: "Cluster" - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - - name: "anpmutator.antrea.io" - clientConfig: - service: - name: "antrea" - namespace: "kube-system" - path: "/mutate/anp" - rules: - - operations: ["CREATE", "UPDATE"] - apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha1"] - resources: ["networkpolicies"] - scope: "Namespaced" - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: "crdvalidator.antrea.io" -webhooks: - - name: "tiervalidator.antrea.io" - clientConfig: - service: - name: "antrea" - namespace: "kube-system" - path: "/validate/tier" - rules: - - operations: ["CREATE", "UPDATE", "DELETE"] - apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha1"] - resources: ["tiers"] - scope: "Cluster" - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - - name: "acnpvalidator.antrea.io" - clientConfig: - service: - name: "antrea" - namespace: "kube-system" - path: "/validate/acnp" - rules: - - operations: ["CREATE", "UPDATE"] - apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha1"] - resources: ["clusternetworkpolicies"] - scope: "Cluster" - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - - name: "anpvalidator.antrea.io" - clientConfig: - service: - name: "antrea" - namespace: "kube-system" - path: "/validate/anp" - rules: - - operations: ["CREATE", "UPDATE"] - apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha1"] - resources: ["networkpolicies"] - scope: "Namespaced" - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - - name: "clustergroupvalidator.antrea.io" - clientConfig: - service: - name: "antrea" - namespace: "kube-system" - path: "/validate/clustergroup" - rules: - - operations: ["CREATE", "UPDATE"] - apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha3", "v1alpha2"] - resources: ["clustergroups"] - scope: "Cluster" - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - - name: "externalippoolvalidator.antrea.io" - clientConfig: - service: - name: "antrea" - namespace: "kube-system" - path: "/validate/externalippool" - rules: - - operations: ["UPDATE"] - apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha2"] - resources: ["externalippools"] - scope: "Cluster" - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - - name: "egressvalidator.antrea.io" - clientConfig: - service: - name: "antrea" - namespace: "kube-system" - path: "/validate/egress" - rules: - - operations: ["CREATE", "UPDATE"] - apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha2"] - resources: ["egresses"] - scope: "Cluster" - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - - name: "ippoolvalidator.antrea.io" - clientConfig: - service: - name: "antrea" - namespace: "kube-system" - path: "/validate/ippool" - rules: - - operations: ["CREATE", "UPDATE", "DELETE"] - apiGroups: ["crd.antrea.io"] - apiVersions: ["v1alpha2"] - resources: ["ippools"] - scope: "Cluster" - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.stats.antrea.io -spec: - group: stats.antrea.io - groupPriorityMinimum: 100 - version: v1alpha1 - versionPriority: 100 - service: - name: antrea - namespace: kube-system ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: antrea-controller - labels: - component: antrea-controller -spec: - strategy: - # Ensure the existing Pod is stopped before the new one is created. - type: Recreate - selector: - matchLabels: - component: antrea-controller - template: - metadata: - labels: - component: antrea-controller - spec: - nodeSelector: - kubernetes.io/os: linux - hostNetwork: true - priorityClassName: system-cluster-critical - tolerations: - # Mark it as a critical add-on. - - key: CriticalAddonsOnly - operator: Exists - # Allow it to schedule onto master nodes. - - key: node-role.kubernetes.io/master - effect: NoSchedule - serviceAccountName: antrea-controller - containers: - - name: antrea-controller - image: antrea - resources: - requests: - cpu: "200m" - command: ["antrea-controller"] - # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work). - args: ["--config", "/etc/antrea/antrea-controller.conf", "--logtostderr=false", "--log_dir=/var/log/antrea", "--alsologtostderr", "--log_file_max_size=100", "--log_file_max_num=4", "--v=0"] - env: - # Provide pod and node information for clusterinformation CRD. - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - # Provide ServiceAccount name for validation webhook. - - name: SERVICEACCOUNT_NAME - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ANTREA_CONFIG_MAP_NAME - value: "$(ANTREA_CONFIG_MAP_NAME)" - ports: - - containerPort: 10349 - name: api - protocol: TCP - readinessProbe: - httpGet: - host: localhost - path: /readyz - port: api - scheme: HTTPS - initialDelaySeconds: 5 - timeoutSeconds: 5 - periodSeconds: 10 - failureThreshold: 5 - livenessProbe: - httpGet: - host: localhost - path: /livez - port: api - scheme: HTTPS - timeoutSeconds: 5 - periodSeconds: 10 - failureThreshold: 5 - volumeMounts: - - name: antrea-config - mountPath: /etc/antrea/antrea-controller.conf - subPath: antrea-controller.conf - readOnly: true - - name: antrea-controller-tls - mountPath: /var/run/antrea/antrea-controller-tls - - name: host-var-log-antrea - mountPath: /var/log/antrea - volumes: - - name: antrea-config - configMap: - name: antrea-config - # Make it optional as we only read it when selfSignedCert=false. - - name: antrea-controller-tls - secret: - secretName: antrea-controller-tls - defaultMode: 0400 - optional: true - - name: host-var-log-antrea - hostPath: - path: /var/log/antrea - type: DirectoryOrCreate ---- diff --git a/build/yamls/base/crds.yml b/build/yamls/base/crds.yml deleted file mode 100644 index da3a2e916c4..00000000000 --- a/build/yamls/base/crds.yml +++ /dev/null @@ -1,2018 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: egresses.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - appliedTo - anyOf: - - required: - - egressIP - - required: - - externalIPPool - properties: - appliedTo: - type: object - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - egressIP: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - externalIPPool: - type: string - status: - type: object - properties: - egressNode: - type: string - additionalPrinterColumns: - - description: Specifies the SNAT IP address for the selected workloads. - jsonPath: .spec.egressIP - name: EgressIP - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string - subresources: - status: {} - scope: Cluster - names: - plural: egresses - singular: egress - kind: Egress - shortNames: - - eg ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: externalippools.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - ipRanges - - nodeSelector - properties: - ipRanges: - type: array - items: - type: object - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - type: string - format: cidr - start: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - end: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - nodeSelector: - type: object - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - status: - type: object - properties: - usage: - type: object - properties: - total: - type: integer - used: - type: integer - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: {} - scope: Cluster - names: - plural: externalippools - singular: externalippool - kind: ExternalIPPool - shortNames: - - eip ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ippools.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - required: - - ipVersion - - ipRanges - type: object - properties: - ipVersion: - type: integer - ipRanges: - items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength - properties: - cidr: - format: cidr - type: string - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - vlan: - type: integer - minimum: 0 - maximum: 4094 - type: object - type: array - status: - properties: - ipAddresses: - items: - properties: - ipAddress: - type: string - owner: - properties: - pod: - properties: - name: - type: string - namespace: - type: string - containerID: - type: string - ifName: - type: string - type: object - statefulSet: - properties: - name: - type: string - namespace: - type: string - index: - type: integer - type: object - type: object - phase: - type: string - type: object - type: array - type: object - subresources: - status: {} - scope: Cluster - names: - plural: ippools - singular: ippool - kind: IPPool - shortNames: - - ipp ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreacontrollerinfos.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of the Controller - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of the Controller - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Number of Agents connected to the Controller - jsonPath: ".connectedAgentNum" - name: Connected Agents - type: integer - priority: 1 - - description: Node on which the Controller is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of Network Policies computed by Controller - jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" - name: Num Network Policies - type: integer - priority: 2 - scope: Cluster - names: - plural: antreacontrollerinfos - singular: antreacontrollerinfo - kind: AntreaControllerInfo - shortNames: - - aci ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreaagentinfos.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of this Agent - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of this Agent - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Node on which this Agent is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of local Pods managed by this Agent - jsonPath: ".localPodNum" - name: Num Pods - type: integer - priority: 2 - - description: Subnets used by this Agent for Pod IPAM - jsonPath: ".nodeSubnets" - name: Subnets - type: string - priority: 2 - scope: Cluster - names: - plural: antreaagentinfos - singular: antreaagentinfo - kind: AntreaAgentInfo - shortNames: - - aai ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: traceflows.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .status.phase - description: The phase of the Traceflow. - name: Phase - type: string - - jsonPath: .spec.source.pod - description: The name of the source Pod. - name: Source-Pod - type: string - priority: 10 - - jsonPath: .spec.destination.pod - description: The name of the destination Pod. - name: Destination-Pod - type: string - priority: 10 - - jsonPath: .spec.destination.ip - description: The IP address of the destination. - name: Destination-IP - type: string - priority: 10 - - jsonPath: .spec.liveTraffic - description: Trace live traffic. - name: Live-Traffic - type: boolean - priority: 10 - - jsonPath: .spec.droppedOnly - description: Capture only the dropped packet. - name: Dropped-Only - type: boolean - priority: 10 - - jsonPath: .spec.timeout - description: Timeout in seconds. - name: Timeout - type: integer - priority: 10 - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - properties: - source: - type: object - properties: - pod: - type: string - namespace: - type: string - ip: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - destination: - type: object - properties: - pod: - type: string - service: - type: string - namespace: - type: string - ip: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - packet: - type: object - properties: - ipHeader: - type: object - properties: - srcIP: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - protocol: - type: integer - ttl: - type: integer - flags: - type: integer - ipv6Header: - type: object - properties: - srcIP: - type: string - format: ipv6 - nextHeader: - type: integer - hopLimit: - type: integer - transportHeader: - type: object - properties: - icmp: - type: object - properties: - id: - type: integer - sequence: - type: integer - udp: - type: object - properties: - srcPort: - type: integer - dstPort: - type: integer - tcp: - type: object - properties: - srcPort: - type: integer - dstPort: - type: integer - flags: - type: integer - liveTraffic: - type: boolean - droppedOnly: - type: boolean - timeout: - type: integer - status: - type: object - properties: - reason: - type: string - dataplaneTag: - type: integer - phase: - type: string - startTime: - type: string - results: - type: array - items: - type: object - properties: - node: - type: string - role: - type: string - timestamp: - type: integer - observations: - type: array - items: - type: object - properties: - component: - type: string - componentInfo: - type: string - action: - type: string - pod: - type: string - dstMAC: - type: string - networkPolicy: - type: string - ttl: - type: integer - translatedSrcIP: - type: string - translatedDstIP: - type: string - tunnelDstIP: - type: string - capturedPacket: - properties: - srcIP: - type: string - dstIP: - type: string - length: - type: integer - ipHeader: - properties: - flags: - type: integer - protocol: - type: integer - ttl: - type: integer - type: object - ipv6Header: - properties: - hopLimit: - type: integer - nextHeader: - type: integer - type: object - transportHeader: - properties: - tcp: - properties: - dstPort: - type: integer - srcPort: - type: integer - flags: - type: integer - type: object - udp: - properties: - dstPort: - type: integer - srcPort: - type: integer - type: object - icmp: - properties: - id: - type: integer - sequence: - type: integer - type: object - type: object - type: object - subresources: - status: {} - scope: Cluster - names: - plural: traceflows - singular: traceflow - kind: Traceflow - shortNames: - - tf ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: tiers.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha1 - served: true - storage: true - additionalPrinterColumns: - - name: Priority - type: integer - description: The Priority of this Tier relative to other Tiers. - jsonPath: .spec.priority - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - required: - - priority - type: object - properties: - priority: - type: integer - minimum: 0 - maximum: 255 - description: - type: string - scope: Cluster - names: - plural: tiers - singular: tier - kind: Tier - shortNames: - - tr ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clusternetworkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha1 - served: true - storage: true - additionalPrinterColumns: - - name: Tier - type: string - description: The Tier to which this ClusterNetworkPolicy belongs to. - jsonPath: .spec.tier - - name: Priority - type: number - format: float - description: The Priority of this ClusterNetworkPolicy relative to other policies. - jsonPath: .spec.priority - - name: Desired Nodes - type: number - format: int32 - description: The total number of Nodes that should realize the NetworkPolicy. - jsonPath: .status.desiredNodesRealized - - name: Current Nodes - type: number - format: int32 - description: The number of Nodes that have realized the NetworkPolicy. - jsonPath: .status.currentNodesRealized - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - # Ensure that Spec.Priority field is set - required: - - priority - type: object - properties: - tier: - type: string - priority: - type: number - format: float - # Ensure that Spec.Priority field is between 1 and 10000 - minimum: 1.0 - maximum: 10000.0 - appliedTo: - type: array - items: - type: object - # Ensure that Spec.AppliedTo does not allow IPBlock field - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - group: - type: string - serviceAccount: - type: object - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - ingress: - type: array - items: - type: object - required: - - action - properties: - appliedTo: - type: array - items: - type: object - # Ensure that rule AppliedTo does not allow IPBlock field - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - group: - type: string - serviceAccount: - type: object - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - # Ensure that Action field allows only ALLOW, DROP and REJECT values - action: - type: string - enum: ['Allow', 'Drop', 'Reject', 'Pass'] - ports: - type: array - items: - type: object - properties: - protocol: - type: string - enum: ['TCP', 'UDP', 'SCTP'] - port: - x-kubernetes-int-or-string: true - endPort: - type: integer - from: - type: array - items: - type: object - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaces: - type: object - properties: - match: - enum: - - Self - type: string - ipBlock: - type: object - properties: - cidr: - type: string - format: cidr - group: - type: string - serviceAccount: - type: object - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - nodeSelector: - type: object - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - name: - type: string - enableLogging: - type: boolean - egress: - type: array - items: - type: object - required: - - action - properties: - appliedTo: - type: array - items: - type: object - # Ensure that rule AppliedTo does not allow IPBlock field - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - group: - type: string - serviceAccount: - type: object - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - # Ensure that Action field allows only ALLOW, DROP and REJECT values - action: - type: string - enum: ['Allow', 'Drop', 'Reject', 'Pass'] - ports: - type: array - items: - type: object - properties: - protocol: - type: string - enum: ['TCP', 'UDP', 'SCTP'] - port: - x-kubernetes-int-or-string: true - endPort: - type: integer - to: - type: array - items: - type: object - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaces: - type: object - properties: - match: - type: string - ipBlock: - type: object - properties: - cidr: - type: string - format: cidr - group: - type: string - fqdn: - type: string - serviceAccount: - type: object - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - nodeSelector: - type: object - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - toServices: - type: array - items: - type: object - required: - - name - - namespace - properties: - name: - type: string - namespace: - type: string - name: - type: string - enableLogging: - type: boolean - status: - type: object - properties: - phase: - type: string - observedGeneration: - type: integer - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - subresources: - status: {} - scope: Cluster - names: - plural: clusternetworkpolicies - singular: clusternetworkpolicy - kind: ClusterNetworkPolicy - shortNames: - - acnp ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: networkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha1 - served: true - storage: true - additionalPrinterColumns: - - name: Tier - type: string - description: The Tier to which this Antrea NetworkPolicy belongs to. - jsonPath: .spec.tier - - name: Priority - type: number - format: float - description: The Priority of this Antrea NetworkPolicy relative to other policies. - jsonPath: .spec.priority - - name: Desired Nodes - type: number - format: int32 - description: The total number of Nodes that should realize the NetworkPolicy. - jsonPath: .status.desiredNodesRealized - - name: Current Nodes - type: number - format: int32 - description: The number of Nodes that have realized the NetworkPolicy. - jsonPath: .status.currentNodesRealized - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - # Ensure that Spec.Priority field is set - required: - - priority - type: object - properties: - tier: - type: string - priority: - type: number - format: float - # Ensure that Spec.Priority field is between 1 and 10000 - minimum: 1.0 - maximum: 10000.0 - appliedTo: - type: array - items: - type: object - # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ingress: - type: array - items: - type: object - required: - - action - properties: - appliedTo: - type: array - items: - type: object - # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - # Ensure that Action field allows only ALLOW, DROP and REJECT values - action: - type: string - enum: ['Allow', 'Drop', 'Reject', 'Pass'] - ports: - type: array - items: - type: object - properties: - protocol: - type: string - enum: ['TCP', 'UDP', 'SCTP'] - port: - x-kubernetes-int-or-string: true - endPort: - type: integer - from: - type: array - items: - type: object - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlock: - type: object - properties: - cidr: - type: string - format: cidr - nodeSelector: - type: object - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - name: - type: string - enableLogging: - type: boolean - egress: - type: array - items: - type: object - required: - - action - properties: - appliedTo: - type: array - items: - type: object - # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - # Ensure that Action field allows only ALLOW, DROP and REJECT values - action: - type: string - enum: ['Allow', 'Drop', 'Reject', 'Pass'] - ports: - type: array - items: - type: object - properties: - # Ensure that Protocol field allows only TCP, UDP and SCTP values - protocol: - type: string - enum: ['TCP', 'UDP', 'SCTP'] - port: - x-kubernetes-int-or-string: true - endPort: - type: integer - to: - type: array - items: - type: object - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlock: - type: object - properties: - cidr: - type: string - format: cidr - fqdn: - type: string - nodeSelector: - type: object - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - toServices: - type: array - items: - type: object - required: - - name - properties: - name: - type: string - namespace: - type: string - name: - type: string - enableLogging: - type: boolean - status: - type: object - properties: - phase: - type: string - observedGeneration: - type: integer - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - subresources: - status: {} - scope: Namespaced - names: - plural: networkpolicies - singular: networkpolicy - kind: NetworkPolicy - shortNames: - - anp ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: externalentities.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - endpoints: - type: array - items: - type: object - properties: - ip: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - name: - type: string - ports: - type: array - items: - type: object - properties: - protocol: - type: string - enum: ['TCP', 'UDP', 'SCTP'] - port: - x-kubernetes-int-or-string: true - name: - type: string - externalNode: - type: string - - name: v1alpha1 - served: false - storage: false - schema: - openAPIV3Schema: - type: object - scope: Namespaced - names: - plural: externalentities - singular: externalentity - kind: ExternalEntity - shortNames: - - ee ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clustergroups.crd.antrea.io -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - childGroups: - type: array - items: - type: string - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlock: - type: object - properties: - cidr: - type: string - format: cidr - ipBlocks: - type: array - items: - type: object - properties: - cidr: - type: string - format: cidr - serviceReference: - type: object - properties: - name: - type: string - namespace: - type: string - status: - type: object - properties: - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - lastTransitionTime: - type: string - - name: v1alpha3 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - childGroups: - type: array - items: - type: string - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlocks: - type: array - items: - type: object - properties: - cidr: - type: string - format: cidr - serviceReference: - type: object - properties: - name: - type: string - namespace: - type: string - status: - type: object - properties: - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - lastTransitionTime: - type: string - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: ["v1", "v1beta1"] - clientConfig: - service: - name: "antrea" - namespace: "kube-system" - path: "/convert/clustergroup" - scope: Cluster - names: - plural: clustergroups - singular: clustergroup - kind: ClusterGroup - shortNames: - - cg ---- diff --git a/build/yamls/base/kustomization.yml b/build/yamls/base/kustomization.yml deleted file mode 100644 index 10bdbae589e..00000000000 --- a/build/yamls/base/kustomization.yml +++ /dev/null @@ -1,31 +0,0 @@ -resources: -- crds.yml -- crds-rbac.yml -- antctl.yml -- controller-rbac.yml -- controller.yml -- agent-rbac.yml -- agent.yml -- cluster-identity-reader.yml -configMapGenerator: -- files: - - conf/antrea-controller.conf - - conf/antrea-agent.conf - - conf/antrea-cni.conflist - name: antrea-config -commonLabels: - app: antrea -namespace: kube-system - # Only a single active instance is supported for now. -replicas: -- count: 1 - name: antrea-controller -vars: - - name: ANTREA_CONFIG_MAP_NAME - objref: - kind: ConfigMap - name: antrea-config - apiVersion: v1 - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization diff --git a/build/yamls/chart-values/antrea-aks.yml b/build/yamls/chart-values/antrea-aks.yml new file mode 100644 index 00000000000..908c753f430 --- /dev/null +++ b/build/yamls/chart-values/antrea-aks.yml @@ -0,0 +1 @@ +trafficEncapMode: "networkPolicyOnly" diff --git a/build/yamls/chart-values/antrea-eks.yml b/build/yamls/chart-values/antrea-eks.yml new file mode 100644 index 00000000000..cc97b5b7462 --- /dev/null +++ b/build/yamls/chart-values/antrea-eks.yml @@ -0,0 +1,7 @@ +trafficEncapMode: "networkPolicyOnly" +agent: + antreaAgent: + extraEnv: + # Antrea Agent needs to be aware that it is being used in EKS, as + # additional iptables rules may have to be installed. + ANTREA_CLOUD_EKS: "true" diff --git a/build/yamls/chart-values/antrea-gke.yml b/build/yamls/chart-values/antrea-gke.yml new file mode 100644 index 00000000000..9944593cc16 --- /dev/null +++ b/build/yamls/chart-values/antrea-gke.yml @@ -0,0 +1,3 @@ +trafficEncapMode: "noEncap" +cni: + hostBinPath: "/home/kubernetes/bin" diff --git a/build/yamls/chart-values/antrea-ipsec.yml b/build/yamls/chart-values/antrea-ipsec.yml new file mode 100644 index 00000000000..d6770ea44a7 --- /dev/null +++ b/build/yamls/chart-values/antrea-ipsec.yml @@ -0,0 +1,3 @@ +trafficEncryptionMode: "ipsec" +# change the tunnel type to GRE which works better with IPsec encryption than other types. +tunnelType: "gre" diff --git a/build/yamls/chart-values/antrea.yml b/build/yamls/chart-values/antrea.yml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/build/yamls/patches/chaining/installCni.yml b/build/yamls/patches/chaining/installCni.yml deleted file mode 100644 index 5e353352a19..00000000000 --- a/build/yamls/patches/chaining/installCni.yml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: antrea-agent -spec: - template: - spec: - initContainers: - - name: install-cni - command: ["install_cni_chaining"] - securityContext: - capabilities: - add: - # SYS_MODULE is required to load the OVS kernel module. - - SYS_MODULE diff --git a/build/yamls/patches/coverage/startAgentCov.yml b/build/yamls/patches/coverage/startAgentCov.yml deleted file mode 100644 index 39812362b57..00000000000 --- a/build/yamls/patches/coverage/startAgentCov.yml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: antrea-agent -spec: - template: - spec: - initContainers: - - name: install-cni - image: antrea/antrea-ubuntu-coverage:latest - containers: - - name: antrea-agent - command: ["/bin/sh"] - args: ["-c", "sleep 2; antrea-agent-coverage -test.run=TestBincoverRunMain -test.coverprofile=antrea-agent.cov.out -args-file=/agent-arg-file; while true; do sleep 5 & wait $!; done"] diff --git a/build/yamls/patches/coverage/startControllerCov.yml b/build/yamls/patches/coverage/startControllerCov.yml deleted file mode 100644 index 8e1f187d60e..00000000000 --- a/build/yamls/patches/coverage/startControllerCov.yml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: antrea-controller -spec: - template: - spec: - containers: - - command: ["/bin/sh"] - args: ["-c", "antrea-controller-coverage -test.run=TestBincoverRunMain -test.coverprofile=antrea-controller.cov.out -args-file=/controller-arg-file; while true; do sleep 5 & wait $!; done"] - name: antrea-controller diff --git a/build/yamls/patches/dev/agentImagePullPolicy.yml b/build/yamls/patches/dev/agentImagePullPolicy.yml deleted file mode 100644 index 51bf1ea8d98..00000000000 --- a/build/yamls/patches/dev/agentImagePullPolicy.yml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: antrea-agent -spec: - template: - spec: - containers: - - name: antrea-agent - imagePullPolicy: IfNotPresent - - name: antrea-ovs - imagePullPolicy: IfNotPresent - initContainers: - - name: install-cni - imagePullPolicy: IfNotPresent diff --git a/build/yamls/patches/dev/agentIpsecImagePullPolicy.yml b/build/yamls/patches/dev/agentIpsecImagePullPolicy.yml deleted file mode 100644 index 50aabfcf2c3..00000000000 --- a/build/yamls/patches/dev/agentIpsecImagePullPolicy.yml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: antrea-agent -spec: - template: - spec: - containers: - - name: antrea-ipsec - imagePullPolicy: IfNotPresent diff --git a/build/yamls/patches/dev/agentVerboseLog.yml b/build/yamls/patches/dev/agentVerboseLog.yml deleted file mode 100644 index 4bfaaaeeea7..00000000000 --- a/build/yamls/patches/dev/agentVerboseLog.yml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: antrea-agent -spec: - template: - spec: - containers: - - name: antrea-agent - args: ["--config", "/etc/antrea/antrea-agent.conf", "--logtostderr=false", "--log_dir=/var/log/antrea", "--alsologtostderr", "--log_file_max_size=100", "--log_file_max_num=4", "--v=4"] - diff --git a/build/yamls/patches/dev/controllerImagePullPolicy.yml b/build/yamls/patches/dev/controllerImagePullPolicy.yml deleted file mode 100644 index ce6bda61abb..00000000000 --- a/build/yamls/patches/dev/controllerImagePullPolicy.yml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: antrea-controller -spec: - template: - spec: - containers: - - name: antrea-controller - imagePullPolicy: IfNotPresent diff --git a/build/yamls/patches/dev/controllerVerboseLog.yml b/build/yamls/patches/dev/controllerVerboseLog.yml deleted file mode 100644 index 35f79946478..00000000000 --- a/build/yamls/patches/dev/controllerVerboseLog.yml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: antrea-controller -spec: - template: - spec: - containers: - - name: antrea-controller - args: ["--config", "/etc/antrea/antrea-controller.conf", "--logtostderr=false", "--log_dir=/var/log/antrea", "--alsologtostderr", "--log_file_max_size=100", "--log_file_max_num=4", "--v=4"] - diff --git a/build/yamls/patches/dev/onDeleteUpdateStrategy.yml b/build/yamls/patches/dev/onDeleteUpdateStrategy.yml deleted file mode 100644 index 4e5d30be341..00000000000 --- a/build/yamls/patches/dev/onDeleteUpdateStrategy.yml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: antrea-agent -spec: - updateStrategy: - type: OnDelete diff --git a/build/yamls/patches/eks/eksEnv.yml b/build/yamls/patches/eks/eksEnv.yml deleted file mode 100644 index 5ebae561433..00000000000 --- a/build/yamls/patches/eks/eksEnv.yml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: antrea-agent -spec: - template: - spec: - containers: - - name: antrea-agent - env: - # Antrea Agent needs to be aware that it is being used in EKS, as - # additional iptables rules may have to be installed. - - name: ANTREA_CLOUD_EKS - value: "true" diff --git a/build/yamls/patches/gke/cniPath.yml b/build/yamls/patches/gke/cniPath.yml deleted file mode 100644 index 671dbb31087..00000000000 --- a/build/yamls/patches/gke/cniPath.yml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: antrea-agent -spec: - template: - spec: - volumes: - - hostPath: - path: /home/kubernetes/bin - name: host-cni-bin diff --git a/build/yamls/patches/hwoffload/hwOffload.yml b/build/yamls/patches/hwoffload/hwOffload.yml deleted file mode 100644 index bed398e1984..00000000000 --- a/build/yamls/patches/hwoffload/hwOffload.yml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: antrea-agent -spec: - template: - spec: - containers: - - name: antrea-ovs - command: ["start_ovs", "--hw-offload"] - diff --git a/build/yamls/patches/ipsec/ipsecContainer.yml b/build/yamls/patches/ipsec/ipsecContainer.yml deleted file mode 100644 index a1225abdb54..00000000000 --- a/build/yamls/patches/ipsec/ipsecContainer.yml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: antrea-agent -spec: - template: - spec: - containers: - - name: antrea-ipsec - image: antrea - resources: - requests: - cpu: "50m" - command: ["start_ovs_ipsec"] - livenessProbe: - exec: - command: - - /bin/sh - - -c - - timeout 5 container_liveness_probe ovs-ipsec - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - capabilities: - add: - - NET_ADMIN - volumeMounts: - - name: host-var-run-antrea - mountPath: /var/run/openvswitch - subPath: openvswitch - - name: host-var-log-antrea - mountPath: /var/log/openvswitch - subPath: openvswitch - - name: host-var-log-antrea - mountPath: /var/log/strongswan - subPath: strongswan diff --git a/build/yamls/patches/ipsec/ipsecSecret.yml b/build/yamls/patches/ipsec/ipsecSecret.yml deleted file mode 100644 index b0bb36a572a..00000000000 --- a/build/yamls/patches/ipsec/ipsecSecret.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: antrea-ipsec - namespace: kube-system -type: Opaque -stringData: - # Preshared Key used by IKE for authentication with peers. - psk: changeme diff --git a/build/yamls/patches/ipsec/pskEnv.yml b/build/yamls/patches/ipsec/pskEnv.yml deleted file mode 100644 index 48d5fbaa7bb..00000000000 --- a/build/yamls/patches/ipsec/pskEnv.yml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: antrea-agent -spec: - template: - spec: - containers: - - name: antrea-agent - env: - # Pre-shared key for IPsec IKE. - - name: ANTREA_IPSEC_PSK - valueFrom: - secretKeyRef: - name: antrea-ipsec - key: psk diff --git a/build/yamls/patches/kustomization.configMap.tpl.yml b/build/yamls/patches/kustomization.configMap.tpl.yml deleted file mode 100644 index 08c34218f0a..00000000000 --- a/build/yamls/patches/kustomization.configMap.tpl.yml +++ /dev/null @@ -1,6 +0,0 @@ -configMapGenerator: -- name: antrea-config - behavior: merge - files: - - - - diff --git a/build/yamls/patches/release/.gitignore b/build/yamls/patches/release/.gitignore deleted file mode 100644 index fdffa2a0fd7..00000000000 --- a/build/yamls/patches/release/.gitignore +++ /dev/null @@ -1 +0,0 @@ -# placeholder diff --git a/build/yamls/patches/simulator/agentNodeAffinity.yml b/build/yamls/patches/simulator/agentNodeAffinity.yml deleted file mode 100644 index 1a922cecd3f..00000000000 --- a/build/yamls/patches/simulator/agentNodeAffinity.yml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: antrea-agent -spec: - template: - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: antrea/instance - operator: NotIn - values: - - simulator diff --git a/build/yamls/patches/simulator/controllerNodeAffinity.yml b/build/yamls/patches/simulator/controllerNodeAffinity.yml deleted file mode 100644 index e88e7e23d7d..00000000000 --- a/build/yamls/patches/simulator/controllerNodeAffinity.yml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: antrea-controller -spec: - template: - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: antrea/instance - operator: NotIn - values: - - simulator diff --git a/build/yamls/patches/sriov/sriov.yml b/build/yamls/patches/sriov/sriov.yml deleted file mode 100644 index f56c5466e02..00000000000 --- a/build/yamls/patches/sriov/sriov.yml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: antrea-agent -spec: - template: - spec: - containers: - - name: antrea-agent - volumeMounts: - - mountPath: /var/lib/kubelet - name: host-kubelet - readOnly: true - volumes: - - hostPath: - path: /var/lib/kubelet - name: host-kubelet diff --git a/build/yamls/patches/whereabouts/whereabouts-rbac.yml b/build/yamls/patches/whereabouts/whereabouts-rbac.yml deleted file mode 100644 index 6492ac97a96..00000000000 --- a/build/yamls/patches/whereabouts/whereabouts-rbac.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: whereabouts-cni-secret - annotations: - kubernetes.io/service-account.name: antrea-agent-whereabouts -type: kubernetes.io/service-account-token ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: antrea-agent-whereabouts - namespace: kube-system ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: antrea-agent-whereabouts -rules: - - apiGroups: - - whereabouts.cni.cncf.io - resources: - - ippools - verbs: - - get - - put - - watch - - list - - update - - patch - - create - - delete ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: antrea-agent-whereabouts -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antrea-agent-whereabouts -subjects: - - kind: ServiceAccount - name: antrea-agent-whereabouts - namespace: kube-system diff --git a/build/yamls/patches/whereabouts/whereabouts.yml b/build/yamls/patches/whereabouts/whereabouts.yml deleted file mode 100644 index 3ada5ac9bae..00000000000 --- a/build/yamls/patches/whereabouts/whereabouts.yml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: antrea-agent -spec: - template: - spec: - initContainers: - - name: install-whereabouts-config - image: antrea - resources: - requests: - cpu: "100m" - command: ["install_whereabouts_config"] - volumeMounts: - - name: whereabouts-cni-conf - mountPath: /host/etc/cni/net.d/whereabouts.d - - name: whereabouts-secret - mountPath: /var/run/secrets/whereabouts - containers: - - name: antrea-agent - volumeMounts: - - name: whereabouts-cni-conf - mountPath: /host/etc/cni/net.d/whereabouts.d - - name: whereabouts-secret - mountPath: /var/run/secrets/whereabouts - volumes: - - hostPath: - path: /host/etc/cni/net.d/whereabouts.d - name: whereabouts-cni-conf - - name: whereabouts-secret - secret: - secretName: whereabouts-cni-secret diff --git a/ci/kind/test-e2e-kind.sh b/ci/kind/test-e2e-kind.sh index 5b56d038241..6d9d7e94337 100755 --- a/ci/kind/test-e2e-kind.sh +++ b/ci/kind/test-e2e-kind.sh @@ -208,9 +208,9 @@ function run_test { if $proxy_all; then apiserver=$(docker exec -i kind-control-plane kubectl get endpoints kubernetes --no-headers | awk '{print $2}') if $coverage; then - docker exec -i kind-control-plane sed -i.bak -E "s/^[[:space:]]*#kubeAPIServerOverride[[:space:]]*:[[:space:]]*[a-z\"]+[[:space:]]*$/ kubeAPIServerOverride: \"$apiserver\"/" /root/antrea-coverage.yml /root/antrea-ipsec-coverage.yml + docker exec -i kind-control-plane sed -i.bak -E "s/^[[:space:]]*[#]?kubeAPIServerOverride[[:space:]]*:[[:space:]]*[a-z\"]+[[:space:]]*$/ kubeAPIServerOverride: \"$apiserver\"/" /root/antrea-coverage.yml /root/antrea-ipsec-coverage.yml else - docker exec -i kind-control-plane sed -i.bak -E "s/^[[:space:]]*#kubeAPIServerOverride[[:space:]]*:[[:space:]]*[a-z\"]+[[:space:]]*$/ kubeAPIServerOverride: \"$apiserver\"/" /root/antrea.yml /root/antrea-ipsec.yml + docker exec -i kind-control-plane sed -i.bak -E "s/^[[:space:]]*[#]?kubeAPIServerOverride[[:space:]]*:[[:space:]]*[a-z\"]+[[:space:]]*$/ kubeAPIServerOverride: \"$apiserver\"/" /root/antrea.yml /root/antrea-ipsec.yml fi fi sleep 1 diff --git a/.markdownlint-config.yml b/hack/.markdownlint-config.yml similarity index 100% rename from .markdownlint-config.yml rename to hack/.markdownlint-config.yml diff --git a/hack/.markdownlint-ignore b/hack/.markdownlint-ignore new file mode 100644 index 00000000000..724578f287c --- /dev/null +++ b/hack/.markdownlint-ignore @@ -0,0 +1,6 @@ +CHANGELOG/ +CHANGELOG.md +hack/netpol +CODE_OF_CONDUCT.md +# auto-generated file +build/charts/antrea/README.md diff --git a/hack/generate-manifest.sh b/hack/generate-manifest.sh index fcb427c5f64..9209f279dad 100755 --- a/hack/generate-manifest.sh +++ b/hack/generate-manifest.sh @@ -21,7 +21,7 @@ function echoerr { } _usage="Usage: $0 [--mode (dev|release)] [--encap-mode] [--ipsec] [--no-proxy] [--no-np] [--keep] [--tun (geneve|vxlan|gre|stt)] [--verbose-log] [--help|-h] -Generate a YAML manifest for Antrea using Kustomize and print it to stdout. +Generate a YAML manifest for Antrea using Helm and print it to stdout. --mode (dev|release) Choose the configuration variant that you need (default is 'dev') --encap-mode Traffic encapsulation mode. (default is 'encap') --cloud Generate a manifest appropriate for running Antrea in Public Cloud @@ -29,10 +29,8 @@ Generate a YAML manifest for Antrea using Kustomize and print it to stdout. --all-features Generate a manifest with all alpha features enabled --no-proxy Generate a manifest with Antrea proxy disabled --proxy-all Generate a manifest with Antrea proxy with all Service support enabled - --no-legacy-crd Generate a manifest without legacy CRD mirroring support enabled --endpointslice Generate a manifest with EndpointSlice support enabled --no-np Generate a manifest with Antrea-native policies disabled - --keep Debug flag which will preserve the generated kustomization.yml --tun (geneve|vxlan|gre|stt) Choose encap tunnel type from geneve, gre, stt and vxlan (default is geneve) --verbose-log Generate a manifest with increased log-level (level 4) for Antrea agent and controller. This option will work only in 'dev' mode. @@ -53,11 +51,10 @@ In 'release' mode, environment variables IMG_NAME and IMG_TAG must be set. In 'dev' mode, environment variable IMG_NAME can be set to use a custom image. -This tool uses kustomize (https://github.com/kubernetes-sigs/kustomize) to generate manifests for -Antrea. You can set the KUSTOMIZE environment variable to the path of the kustomize binary you want -us to use. Otherwise we will download the appropriate version of the kustomize binary and use -it (this is the recommended approach since different versions of kustomize may create different -output YAMLs)." +This tool uses Helm 3 (https://helm.sh/) to generate manifests for Antrea. You can set the HELM +environment variable to the path of the helm binary you want us to use. Otherwise we will download +the appropriate version of the helm binary and use it (this is the recommended approach since +different versions of helm may create different output YAMLs)." function print_usage { echoerr "$_usage" @@ -72,7 +69,6 @@ IPSEC=false ALLFEATURES=false PROXY=true PROXY_ALL=false -LEGACY_CRD=true ENDPOINTSLICE=false NP=true KEEP=false @@ -130,10 +126,6 @@ case $key in PROXY_ALL=true shift ;; - --no-legacy-crd) - LEGACY_CRD=false - shift - ;; --endpointslice) PROXY=true ENDPOINTSLICE=true @@ -277,264 +269,150 @@ fi THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" -source $THIS_DIR/verify-kustomize.sh +# Avoid potential Helm warnings about invalid permissions for Kubeconfig file. +# The Kubeconfig does not matter for "helm template". +unset KUBECONFIG -if [ -z "$KUSTOMIZE" ]; then - KUSTOMIZE="$(verify_kustomize)" -elif ! $KUSTOMIZE version > /dev/null 2>&1; then - echoerr "$KUSTOMIZE does not appear to be a valid kustomize binary" +source $THIS_DIR/verify-helm.sh + +if [ -z "$HELM" ]; then + HELM="$(verify_helm)" +elif ! $HELM version > /dev/null 2>&1; then + echoerr "$HELM does not appear to be a valid helm binary" print_help exit 1 fi -KUSTOMIZATION_DIR=$THIS_DIR/../build/yamls - -TMP_DIR=$(mktemp -d $KUSTOMIZATION_DIR/overlays.XXXXXXXX) - -pushd $TMP_DIR > /dev/null - -BASE=../../base - -# do all ConfigMap edits -mkdir configMap && cd configMap -# user is not expected to make changes directly to antrea-agent.conf and antrea-controller.conf, -# but instead to the generated YAML manifest, so our regexs need not be too robust. -cp $KUSTOMIZATION_DIR/base/conf/antrea-agent.conf antrea-agent.conf -cp $KUSTOMIZATION_DIR/base/conf/antrea-controller.conf antrea-controller.conf +TMP_DIR=$(mktemp -d $THIS_DIR/../build/yamls/chart-values.XXXXXXXX) +HELM_VALUES=() +HELM_VALUES_FILES=() if $IPSEC; then - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*trafficEncryptionMode[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/trafficEncryptionMode: ipsec/" antrea-agent.conf - # change the tunnel type to GRE which works better with IPsec encryption than other types. - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*tunnelType[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/tunnelType: gre/" antrea-agent.conf + HELM_VALUES+=("trafficEncryptionMode=ipsec" "tunnelType=gre") fi if $FLEXIBLE_IPAM; then - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*AntreaIPAM[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ AntreaIPAM: true/" antrea-controller.conf - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*AntreaIPAM[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ AntreaIPAM: true/" antrea-agent.conf - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*enableBridgingMode[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/enableBridgingMode: true/" antrea-agent.conf - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*trafficEncapMode[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/trafficEncapMode: noEncap/" antrea-agent.conf - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*noSNAT[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/noSNAT: true/" antrea-agent.conf + HELM_VALUES+=("featureGates.AntreaIPAM=true" "enableBridgingMode=true" "trafficEncapMode=noEncap" "noSNAT=true") fi if $MULTICAST; then - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*trafficEncapMode[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/trafficEncapMode: noEncap/" antrea-agent.conf - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*Multicast[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ Multicast: true/" antrea-agent.conf - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*multicastInterfaces[[:space:]]*:[[:space:]]*\[([a-zA-Z0-9]*,[[:space:]]*)*[a-zA-Z0-9]*\][[:space:]]*$/multicastInterfaces: [$MULTICAST_INTERFACES]/" antrea-agent.conf + HELM_VALUES+=("trafficEncapMode=noEncap" "featureGates.Multicast=true" "multicastInterfaces={$MULTICAST_INTERFACES}") fi if $ALLFEATURES; then - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*AntreaPolicy[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ AntreaPolicy: true/" antrea-agent.conf - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*FlowExporter[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ FlowExporter: true/" antrea-agent.conf - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*NetworkPolicyStats[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ NetworkPolicyStats: true/" antrea-agent.conf - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*EndpointSlice[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ EndpointSlice: true/" antrea-agent.conf - sed -i.bak -E "s/^[[:space:]]*#proxyAll[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ proxyAll: true/" antrea-agent.conf + HELM_VALUES+=("featureGates.FlowExporter=true" "featureGates.EndpointSlice=true" "antreaProxy.proxyAll=true") fi if ! $PROXY; then - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*AntreaProxy[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ AntreaProxy: false/" antrea-agent.conf + HELM_VALUES+=("featureGates.AntreaProxy=false") fi if $PROXY_ALL; then - sed -i.bak -E "s/^[[:space:]]*#proxyAll[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ proxyAll: true/" antrea-agent.conf -fi - -if ! $LEGACY_CRD; then - sed -i.bak -E "s/^#legacyCRDMirroring[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/legacyCRDMirroring: false/" antrea-controller.conf + HELM_VALUES+=("antreaProxy.proxyAll=true") fi if $ENDPOINTSLICE; then - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*EndpointSlice[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ EndpointSlice: true/" antrea-agent.conf + HELM_VALUES+=("featureGates.EndpointSlice=true") fi if ! $NP; then - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*AntreaPolicy[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ AntreaPolicy: false/" antrea-controller.conf - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*AntreaPolicy[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/ AntreaPolicy: false/" antrea-agent.conf + HELM_VALUES+=("featureGates.AntreaPolicy=false") fi if [[ $ENCAP_MODE != "" ]]; then - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*trafficEncapMode[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/trafficEncapMode: $ENCAP_MODE/" antrea-agent.conf + HELM_VALUES+=("trafficEncapMode=$ENCAP_MODE") fi if [[ $TUN_TYPE != "geneve" ]]; then - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*tunnelType[[:space:]]*:[[:space:]]*[a-z]+[[:space:]]*$/tunnelType: $TUN_TYPE/" antrea-agent.conf -fi - -if [[ $CLOUD != "" ]]; then - # Delete the serviceCIDR parameter for the cloud (AKS, EKS, GKE) deployment yamls, because - # AntreaProxy is always enabled for the cloud managed K8s clusters, and the serviceCIDR - # parameter is not needed in this case. - # delete all blank lines after "#serviceCIDR:" - sed -i.bak '/#serviceCIDR:/,/^$/{/^$/d;}' antrea-agent.conf - # delete lines from "# ClusterIP CIDR range for Services" to "#serviceCIDR:" - sed -i.bak '/# ClusterIP CIDR range for Services/,/#serviceCIDR:/d' antrea-agent.conf -fi - -# unfortunately 'kustomize edit add configmap' does not support specifying 'merge' as the behavior, -# which is why we use a template kustomization file. -sed -e "s//antrea-agent.conf/; s//antrea-controller.conf/" ../../patches/kustomization.configMap.tpl.yml > kustomization.yml -$KUSTOMIZE edit add base $BASE -BASE=../configMap -cd .. - -if $IPSEC; then - mkdir ipsec && cd ipsec - # we copy the patch files to avoid having to use the '--load-restrictor. flag when calling - # 'kustomize build'. See https://github.com/kubernetes-sigs/kustomize/blob/master/docs/FAQ.md#security-file-foo-is-not-in-or-below-bar - cp ../../patches/ipsec/*.yml . - touch kustomization.yml - $KUSTOMIZE edit add base $BASE - # create a K8s Secret to save the PSK (pre-shared key) for IKE authentication. - $KUSTOMIZE edit add resource ipsecSecret.yml - # add a container to the Agent DaemonSet that runs the OVS IPsec and strongSwan daemons. - $KUSTOMIZE edit add patch --path ipsecContainer.yml - # add an environment variable to the antrea-agent container for passing the PSK to Agent. - $KUSTOMIZE edit add patch --path pskEnv.yml - BASE=../ipsec - cd .. + HELM_VALUES+=("tunnelType=$TUN_TYPE") fi if $COVERAGE; then - mkdir coverage && cd coverage - cp ../../patches/coverage/*.yml . - touch kustomization.yml - $KUSTOMIZE edit add base $BASE - # this runs antrea-controller via the instrumented binary. - $KUSTOMIZE edit add patch --path startControllerCov.yml - # this runs antrea-agent via the instrumented binary. - $KUSTOMIZE edit add patch --path startAgentCov.yml - BASE=../coverage - cd .. + HELM_VALUES+=("testing.coverage=true") fi -if [[ $ENCAP_MODE == "networkPolicyOnly" ]] ; then - mkdir chaining && cd chaining - cp ../../patches/chaining/*.yml . - touch kustomization.yml - $KUSTOMIZE edit add base $BASE - # change initContainer script and add antrea to CNI chain - $KUSTOMIZE edit add patch --path installCni.yml - BASE=../chaining - cd .. -fi - if [[ $CLOUD == "GKE" ]]; then - mkdir gke && cd gke - cp ../../patches/gke/*.yml . - touch kustomization.yml - $KUSTOMIZE edit add base $BASE - $KUSTOMIZE edit add patch --path cniPath.yml - BASE=../gke - cd .. + HELM_VALUES+=("cni.hostBinPath=/home/kubernetes/bin") fi if [[ $CLOUD == "EKS" ]]; then - mkdir eks && cd eks - cp ../../patches/eks/*.yml . - touch kustomization.yml - $KUSTOMIZE edit add base $BASE - $KUSTOMIZE edit add patch --path eksEnv.yml - BASE=../eks - cd .. + HELM_VALUES+=("agent.antreaAgent.extraEnv.ANTREA_CLOUD_EKS=true") fi if $SIMULATOR; then - mkdir simulator && cd simulator - cp ../../patches/simulator/*.yml . - touch kustomization.yml - $KUSTOMIZE edit add base $BASE - $KUSTOMIZE edit add patch --path agentNodeAffinity.yml - $KUSTOMIZE edit add patch --path controllerNodeAffinity.yml - $KUSTOMIZE edit add resource antrea-agent-simulator.yml - BASE=../simulator - cd .. + HELM_VALUES+=("testing.simulator.enable=true") fi if $CUSTOM_ADM_CONTROLLER; then - mkdir admissioncontroller && cd admissioncontroller - cp ../../patches/admissioncontroller/*.yml . - touch kustomization.yml - $KUSTOMIZE edit add base $BASE - $KUSTOMIZE edit add resource webhook.yml - BASE=../admissioncontroller - cd .. + HELM_VALUES+=("webhooks.labelsMutator.enable=true") fi if $HW_OFFLOAD; then - mkdir hwoffload && cd hwoffload - cp ../../patches/hwoffload/hwOffload.yml . - touch kustomization.yml - $KUSTOMIZE edit add base $BASE - $KUSTOMIZE edit add patch --path hwOffload.yml - BASE=../hwoffload - cd .. + HELM_VALUES+=("ovs.hwOffload=true") fi if $SRIOV; then - mkdir sriov && cd sriov - cp ../../patches/sriov/sriov.yml . - touch kustomization.yml - $KUSTOMIZE edit add base $BASE - $KUSTOMIZE edit add patch --path sriov.yml - BASE=../sriov - cd .. + cat << EOF > $TMP_DIR/sriov.yml +agent: + antreaAgent: + extraVolumeMounts: + - mountPath: /var/lib/kubelet + name: host-kubelet + readOnly: true + extraVolumes: + - hostPath: + path: /var/lib/kubelet + name: host-kubelet +EOF + HELM_VALUES_FILES+=("$TMP_DIR/sriov.yml") fi if $WHEREABOUTS; then - mkdir whereabouts && cd whereabouts - cp ../../patches/whereabouts/*.yml . - touch kustomization.yml - $KUSTOMIZE edit add base $BASE - $KUSTOMIZE edit add patch --path whereabouts.yml - $KUSTOMIZE edit add resource whereabouts-rbac.yml - BASE=../whereabouts - cd .. -fi - -mkdir $MODE && cd $MODE -touch kustomization.yml -$KUSTOMIZE edit add base $BASE -# ../../patches/$MODE may be empty so we use find and not simply cp -find ../../patches/$MODE -name \*.yml -exec cp {} . \; + HELM_VALUES+=("whereabouts.enable=true") +fi if [ "$MODE" == "dev" ]; then if [[ -z "$IMG_NAME" ]]; then if $COVERAGE; then - IMG_NAME="antrea/antrea-ubuntu-coverage:latest" - else - IMG_NAME="projects.registry.vmware.com/antrea/antrea-ubuntu:latest" + HELM_VALUES+=("image.repository=antrea/antrea-ubuntu-coverage") fi + else + HELM_VALUES+=("image.repository=$IMG_NAME") fi - $KUSTOMIZE edit set image antrea=$IMG_NAME - - $KUSTOMIZE edit add patch --path agentImagePullPolicy.yml - $KUSTOMIZE edit add patch --path controllerImagePullPolicy.yml if $VERBOSE_LOG; then - $KUSTOMIZE edit add patch --path agentVerboseLog.yml - $KUSTOMIZE edit add patch --path controllerVerboseLog.yml - fi - - # only required because there is no good way at the moment to update the imagePullPolicy for all - # containers. See https://github.com/kubernetes-sigs/kustomize/issues/1493 - if $IPSEC; then - $KUSTOMIZE edit add patch --path agentIpsecImagePullPolicy.yml + HELM_VALUES+=("logVerbosity=4") fi if $ON_DELETE; then - $KUSTOMIZE edit add patch --path onDeleteUpdateStrategy.yml + HELM_VALUES+=("agent.updateStrategy.type=OnDelete") fi fi if [ "$MODE" == "release" ]; then - $KUSTOMIZE edit set image antrea=$IMG_NAME:$IMG_TAG + HELM_VALUES+=("image.repository=$IMG_NAME,image.tag=$IMG_TAG") +fi + +delim="" +HELM_VALUES_OPTION="" +for v in "${HELM_VALUES[@]}"; do + HELM_VALUES_OPTION="$HELM_VALUES_OPTION$delim$v" + delim="," +done +if [ "$HELM_VALUES_OPTION" != "" ]; then + HELM_VALUES_OPTION="--set $HELM_VALUES_OPTION" fi -$KUSTOMIZE build +HELM_VALUES_FILES_OPTION="" +for v in "${HELM_VALUES_FILES[@]}"; do + HELM_VALUES_FILES_OPTION="$HELM_VALUES_FILES_OPTION -f $v" +done -popd > /dev/null +ANTREA_CHART="$THIS_DIR/../build/charts/antrea" +$HELM template \ + --namespace kube-system \ + $HELM_VALUES_OPTION \ + $HELM_VALUES_FILES_OPTION \ + "$ANTREA_CHART" -if $KEEP; then - echoerr "Kustomization file is at $TMP_DIR/$MODE/kustomization.yml" -else - rm -rf $TMP_DIR -fi +rm -rf $TMP_DIR diff --git a/hack/generate-standard-manifests.sh b/hack/generate-standard-manifests.sh new file mode 100755 index 00000000000..9f29fe03bf8 --- /dev/null +++ b/hack/generate-standard-manifests.sh @@ -0,0 +1,132 @@ +#!/usr/bin/env bash + +# Copyright 2022 Antrea Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -eo pipefail + +function echoerr { + >&2 echo "$@" +} + +_usage="Usage: $0 [--mode (dev|release)] --out +Generate standard YAML manifests for Antrea using Helm and writes them to output directory. + --mode (dev|release) Choose the configuration variant that you need (default is 'dev') + --out Output directory for generated manifetss + --help, -h Print this message and exit + +In 'release' mode, environment variables IMG_NAME and IMG_TAG must be set. + +In 'dev' mode, environment variable IMG_NAME can be set to use a custom image. + +This tool uses Helm 3 (https://helm.sh/) to generate the \"standard\" manifests for Antrea. These +are the manifests that are checked-in into the Antrea source tree, and that are uploaded as release +assets for each new Antrea release. This script looks for all the Helm values YAML files under +/build/yamls/chart-values/, and generates the corresponding manifest for each one. + +You can set the HELM environment variable to the path of the helm binary you wan t us to +use. Otherwise we will download the appropriate version of the helm binary and use it (this is the +recommended approach since different versions of helm may create different output YAMLs)." + +function print_usage { + echoerr "$_usage" +} + +function print_help { + echoerr "Try '$0 --help' for more information." +} + +MODE="dev" +OUTPUT_DIR="" + +while [[ $# -gt 0 ]] +do +key="$1" + +case $key in + --mode) + MODE="$2" + shift 2 + ;; + --out) + OUTPUT_DIR="$2" + shift 2 + ;; + -h|--help) + print_usage + exit 0 + ;; + *) # unknown option + echoerr "Unknown option $1" + exit 1 + ;; +esac +done + +if [ "$MODE" != "dev" ] && [ "$MODE" != "release" ]; then + echoerr "--mode must be one of 'dev' or 'release'" + print_help + exit 1 +fi + +if [ "$MODE" == "release" ] && [ -z "$IMG_NAME" ]; then + echoerr "In 'release' mode, environment variable IMG_NAME must be set" + print_help + exit 1 +fi + +if [ "$MODE" == "release" ] && [ -z "$IMG_TAG" ]; then + echoerr "In 'release' mode, environment variable IMG_TAG must be set" + print_help + exit 1 +fi + +if [ "$OUTPUT_DIR" == "" ]; then + echoerr "--out is required to provide output directory for generated manifests" + print_help + exit 1 +fi + +THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" + +# Avoid potential Helm warnings about invalid permissions for Kubeconfig file. +# The Kubeconfig does not matter for "helm template". +unset KUBECONFIG + +source $THIS_DIR/verify-helm.sh + +if [ -z "$HELM" ]; then + HELM="$(verify_helm)" +elif ! $HELM version > /dev/null 2>&1; then + echoerr "$HELM does not appear to be a valid helm binary" + print_help + exit 1 +fi + +EXTRA_VALUES="" +if [ "$MODE" == "release" ]; then + EXTRA_VALUES="--set image.repository=$IMG_NAME,image.tag=$IMG_TAG" +fi + +ANTREA_CHART="$THIS_DIR/../build/charts/antrea" +VALUES_DIR="$THIS_DIR/../build/yamls/chart-values" +VALUES_FILES=$(cd $VALUES_DIR && find * -type f -name "*.yml" ) +for values in $VALUES_FILES; do + $HELM template \ + --namespace kube-system \ + -f "$VALUES_DIR/$values" \ + $EXTRA_VALUES \ + "$ANTREA_CHART" \ + > "$OUTPUT_DIR/$values" +done diff --git a/hack/release/prepare-assets.sh b/hack/release/prepare-assets.sh index 6055f1e261b..f90831be9dd 100755 --- a/hack/release/prepare-assets.sh +++ b/hack/release/prepare-assets.sh @@ -70,11 +70,7 @@ sed "s/AntreaVersion=\"latest\"/AntreaVersion=\"$VERSION\"/" ./hack/windows/Star export IMG_TAG=$VERSION export IMG_NAME=projects.registry.vmware.com/antrea/antrea-ubuntu -./hack/generate-manifest.sh --mode release > "$OUTPUT_DIR"/antrea.yml -./hack/generate-manifest.sh --mode release --ipsec > "$OUTPUT_DIR"/antrea-ipsec.yml -./hack/generate-manifest.sh --mode release --cloud EKS --encap-mode networkPolicyOnly > "$OUTPUT_DIR"/antrea-eks.yml -./hack/generate-manifest.sh --mode release --cloud GKE --encap-mode noEncap > "$OUTPUT_DIR"/antrea-gke.yml -./hack/generate-manifest.sh --mode release --cloud AKS --encap-mode networkPolicyOnly > "$OUTPUT_DIR"/antrea-aks.yml +./hack/generate-standard-manifests.sh --mode release --out "$OUTPUT_DIR" export IMG_NAME=projects.registry.vmware.com/antrea/octant-antrea-ubuntu ./hack/generate-manifest-octant.sh --mode release > "$OUTPUT_DIR"/antrea-octant.yml diff --git a/hack/verify-helm.sh b/hack/verify-helm.sh new file mode 100644 index 00000000000..e9a7fbe8279 --- /dev/null +++ b/hack/verify-helm.sh @@ -0,0 +1,73 @@ +#!/usr/bin/env bash + +# Copyright 2022 Antrea Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +_BINDIR="$THIS_DIR/.bin" +# Must be an exact match, as the generated YAMLs may not be consistent across +# versions +_HELM_VERSION="v3.8.1" + +# Ensure the helm tool exists and is the correct version, or install it +verify_helm() { + # Check if there is already a helm binary in $_BINDIR and if yes, check if + # the version matches the expected one. + local helm="$(PATH=$_BINDIR command -v helm)" + if [ -x "$helm" ]; then + # Verify version if helm was already installed. + local helm_version="$($helm version --short)" + # Should work with: + # - v3.8.1 + # - v3.8.1+g5cb9af4 + helm_version="${helm_version%+*}" + if [ "${helm_version}" == "${_HELM_VERSION}" ]; then + # If version is exact match, stop here. + echo "$helm" + return 0 + fi + >&2 echo "Detected helm version ($helm_version) does not match expected one ($_HELM_VERSION), installing correct version" + fi + local ostype="" + if [[ "$OSTYPE" == "linux-gnu" ]]; then + ostype="linux" + elif [[ "$OSTYPE" == "darwin"* ]]; then + ostype="darwin" + else + >&2 echo "Unsupported OS type $OSTYPE" + return 1 + fi + rc=0 + local unameArch="$(uname -m)" || rc=$? + if [ $rc -ne 0 ]; then + >&2 echo "Cannot detect architecture type, uname not available?" + return 1 + fi + local arch="" + case "$unameArch" in + x86_64) arch="amd64";; + arm64) arch="arm64";; + *) >&2 echo "Unsupported architecture type $unameArch"; return 1;; + esac + + >&2 echo "Installing helm" + local helm_url="https://get.helm.sh/helm-${_HELM_VERSION}-${ostype}-${arch}.tar.gz" + curl -sLo helm.tar.gz "${helm_url}" || return 1 + mkdir -p "$_BINDIR" || return 1 + tar -xzf helm.tar.gz -C "$_BINDIR" --strip-components=1 "${ostype}-${arch}/helm" || return 1 + rm -f helm.tar.gz + helm="$_BINDIR/helm" + echo "$helm" + return 0 +} diff --git a/pkg/config/controller/config.go b/pkg/config/controller/config.go index d7e08a358a1..643d7e476cb 100644 --- a/pkg/config/controller/config.go +++ b/pkg/config/controller/config.go @@ -51,12 +51,10 @@ type ControllerConfig struct { // Defaults to true. EnablePrometheusMetrics *bool `yaml:"enablePrometheusMetrics,omitempty"` // Indicates whether to use auto-generated self-signed TLS certificate. - // If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + // If false, a Secret named "antrea-controller-tls" must be provided with the following keys: // ca.crt: // tls.crt: // tls.key: - // And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the - // antrea-controller container. // Defaults to true. SelfSignedCert *bool `yaml:"selfSignedCert,omitempty"` // Cipher suites to use.