Add EgressGroup API and Controller (#1965)

This patch adds a controlplane API which provides List, Get, and Watch
interface for EgressGroups. antrea-agents consume the API to get the
Pods to which an Egress applies. Each agent only receives Pods running
on its own Node.

build/yamls/antrea-aks.yml

@@ -1891,6 +1891,14 @@ rules:
   - get
   - watch
   - list
+- apiGroups:
+  - controlplane.antrea.io
+  resources:
+  - egressgroups
+  verbs:
+  - get
+  - watch
+  - list
 - apiGroups:
   - controlplane.antrea.tanzu.vmware.com
   - controlplane.antrea.io
@@ -1952,6 +1960,14 @@ rules:
   - patch
   - create
   - delete
+- apiGroups:
+  - crd.antrea.io
+  resources:
+  - egresses
+  verbs:
+  - get
+  - watch
+  - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -2143,6 +2159,14 @@ rules:
   - clustergroups/status
   verbs:
   - update
+- apiGroups:
+  - crd.antrea.io
+  resources:
+  - egresses
+  verbs:
+  - get
+  - watch
+  - list
 - apiGroups:
   - clusterinformation.antrea.tanzu.vmware.com
   resources:
@@ -2303,6 +2327,9 @@ data:
     # Enable collecting and exposing NetworkPolicy statistics.
     #  NetworkPolicyStats: false
 
+    # Enable controlling SNAT IPs of Pod egress traffic.
+    #  Egress: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     #ovsBridge: br-int
@@ -2451,6 +2478,9 @@ data:
     # Enable collecting and exposing NetworkPolicy statistics.
     #  NetworkPolicyStats: false
 
+    # Enable controlling SNAT IPs of Pod egress traffic.
+    #  Egress: false
+
     # The port for the antrea-controller APIServer to serve on.
     # Note that if it's set to another value, the `containerPort` of the `api` port of the
     # `antrea-controller` container must be set to the same value.
@@ -2495,7 +2525,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-t45hm85989
+  name: antrea-config-bm46tm9f88
   namespace: kube-system
 ---
 apiVersion: v1
@@ -2615,7 +2645,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-t45hm85989
+          name: antrea-config-bm46tm9f88
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -2924,7 +2954,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-t45hm85989
+          name: antrea-config-bm46tm9f88
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-eks.yml

@@ -1891,6 +1891,14 @@ rules:
   - get
   - watch
   - list
+- apiGroups:
+  - controlplane.antrea.io
+  resources:
+  - egressgroups
+  verbs:
+  - get
+  - watch
+  - list
 - apiGroups:
   - controlplane.antrea.tanzu.vmware.com
   - controlplane.antrea.io
@@ -1952,6 +1960,14 @@ rules:
   - patch
   - create
   - delete
+- apiGroups:
+  - crd.antrea.io
+  resources:
+  - egresses
+  verbs:
+  - get
+  - watch
+  - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -2143,6 +2159,14 @@ rules:
   - clustergroups/status
   verbs:
   - update
+- apiGroups:
+  - crd.antrea.io
+  resources:
+  - egresses
+  verbs:
+  - get
+  - watch
+  - list
 - apiGroups:
   - clusterinformation.antrea.tanzu.vmware.com
   resources:
@@ -2303,6 +2327,9 @@ data:
     # Enable collecting and exposing NetworkPolicy statistics.
     #  NetworkPolicyStats: false
 
+    # Enable controlling SNAT IPs of Pod egress traffic.
+    #  Egress: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     #ovsBridge: br-int
@@ -2451,6 +2478,9 @@ data:
     # Enable collecting and exposing NetworkPolicy statistics.
     #  NetworkPolicyStats: false
 
+    # Enable controlling SNAT IPs of Pod egress traffic.
+    #  Egress: false
+
     # The port for the antrea-controller APIServer to serve on.
     # Note that if it's set to another value, the `containerPort` of the `api` port of the
     # `antrea-controller` container must be set to the same value.
@@ -2495,7 +2525,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-t45hm85989
+  name: antrea-config-bm46tm9f88
   namespace: kube-system
 ---
 apiVersion: v1
@@ -2615,7 +2645,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-t45hm85989
+          name: antrea-config-bm46tm9f88
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -2926,7 +2956,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-t45hm85989
+          name: antrea-config-bm46tm9f88
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-gke.yml

@@ -1891,6 +1891,14 @@ rules:
   - get
   - watch
   - list
+- apiGroups:
+  - controlplane.antrea.io
+  resources:
+  - egressgroups
+  verbs:
+  - get
+  - watch
+  - list
 - apiGroups:
   - controlplane.antrea.tanzu.vmware.com
   - controlplane.antrea.io
@@ -1952,6 +1960,14 @@ rules:
   - patch
   - create
   - delete
+- apiGroups:
+  - crd.antrea.io
+  resources:
+  - egresses
+  verbs:
+  - get
+  - watch
+  - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -2143,6 +2159,14 @@ rules:
   - clustergroups/status
   verbs:
   - update
+- apiGroups:
+  - crd.antrea.io
+  resources:
+  - egresses
+  verbs:
+  - get
+  - watch
+  - list
 - apiGroups:
   - clusterinformation.antrea.tanzu.vmware.com
   resources:
@@ -2303,6 +2327,9 @@ data:
     # Enable collecting and exposing NetworkPolicy statistics.
     #  NetworkPolicyStats: false
 
+    # Enable controlling SNAT IPs of Pod egress traffic.
+    #  Egress: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     #ovsBridge: br-int
@@ -2451,6 +2478,9 @@ data:
     # Enable collecting and exposing NetworkPolicy statistics.
     #  NetworkPolicyStats: false
 
+    # Enable controlling SNAT IPs of Pod egress traffic.
+    #  Egress: false
+
     # The port for the antrea-controller APIServer to serve on.
     # Note that if it's set to another value, the `containerPort` of the `api` port of the
     # `antrea-controller` container must be set to the same value.
@@ -2495,7 +2525,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-c2c88t7544
+  name: antrea-config-5c954cd56b
   namespace: kube-system
 ---
 apiVersion: v1
@@ -2615,7 +2645,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-c2c88t7544
+          name: antrea-config-5c954cd56b
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -2927,7 +2957,7 @@ spec:
           path: /home/kubernetes/bin
         name: host-cni-bin
       - configMap:
-          name: antrea-config-c2c88t7544
+          name: antrea-config-5c954cd56b
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-ipsec.yml

@@ -1891,6 +1891,14 @@ rules:
   - get
   - watch
   - list
+- apiGroups:
+  - controlplane.antrea.io
+  resources:
+  - egressgroups
+  verbs:
+  - get
+  - watch
+  - list
 - apiGroups:
   - controlplane.antrea.tanzu.vmware.com
   - controlplane.antrea.io
@@ -1952,6 +1960,14 @@ rules:
   - patch
   - create
   - delete
+- apiGroups:
+  - crd.antrea.io
+  resources:
+  - egresses
+  verbs:
+  - get
+  - watch
+  - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -2143,6 +2159,14 @@ rules:
   - clustergroups/status
   verbs:
   - update
+- apiGroups:
+  - crd.antrea.io
+  resources:
+  - egresses
+  verbs:
+  - get
+  - watch
+  - list
 - apiGroups:
   - clusterinformation.antrea.tanzu.vmware.com
   resources:
@@ -2303,6 +2327,9 @@ data:
     # Enable collecting and exposing NetworkPolicy statistics.
     #  NetworkPolicyStats: false
 
+    # Enable controlling SNAT IPs of Pod egress traffic.
+    #  Egress: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     #ovsBridge: br-int
@@ -2456,6 +2483,9 @@ data:
     # Enable collecting and exposing NetworkPolicy statistics.
     #  NetworkPolicyStats: false
 
+    # Enable controlling SNAT IPs of Pod egress traffic.
+    #  Egress: false
+
     # The port for the antrea-controller APIServer to serve on.
     # Note that if it's set to another value, the `containerPort` of the `api` port of the
     # `antrea-controller` container must be set to the same value.
@@ -2500,7 +2530,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-f9cht7228c
+  name: antrea-config-29788ckmb7
   namespace: kube-system
 ---
 apiVersion: v1
@@ -2629,7 +2659,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-f9cht7228c
+          name: antrea-config-29788ckmb7
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -2973,7 +3003,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-f9cht7228c
+          name: antrea-config-29788ckmb7
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d