0.19.0
Pre-release
Pre-release
container-networking-bot
released this
31 Mar 23:23
·
3078 commits
to develop
since this release
The first release to include a new layer-3 only CNI plugin. Highlights include:
- Silk CNI plugin to replace Flannel CNI plugin
- NetIn and NetOut rules are configured through CNI
- Networking features to enable BOSH DNS for CF apps
We do not recommend using cf-networking-release in production yet, but give it a try and give us your feedback in the #container-networking channel on cloudfoundry.slack.com.
Take a look at known issues for current limitations and known issues. Verified with the following:
Manifest Changes
Changed Properties
- The value for
cf_networking.garden_external_networker.cni_plugin_dir
must be updated to/var/vcap/packages/silk/bin
if you are not swapping out CNI with your own plugin. (There is no default currently, but we plan to add one in the next release) - The property for global ASG logging has changed from
cf_networking.garden_external_networker.iptables_asg_logging
tocf_networking.iptables_asg_logging
.
Removed Properties
cf_networking.flannel_watchdog.no_bridge
is now removed.
New Properties
A new property has been added to support an upcoming feature. Users can specify DNS servers and access will be automatically allowed for link-local DNS servers:
cf_networking.dns_servers
The new feature will require garden-runc-release versions >=1.4.0.
Significant Changes
New CNI plugin
- CF Wrapper plugin fails if there is a subnet theft
- CF Networking Release can use the Silk CNI plugin instead of the flannel + bridge plugins
- Flannel watchdog has a bridgeless mode where it inspects the the container metadata store
- An acceptance environment is running a BOSH deployed silkd
NetIn/NetOut Changes
- Wrapper CNI plugin can configure NetIn and NetOut
- The external networker defers to the CNI plugin to write NetIn/NetOut rules
BOSH DNS support
- An iptables input rule is written for every local DNS server
- DNS servers are returned from the external networker to garden - Requires garden-runc-release versions >1.3.0
Logging enhancements
- Logging for denied outbound non-c2c packets
- As an operator I know how to find the source app using a packet capture
- ASG deny logging is rate limited to a hardcoded interval
- Troubleshooting docs include information about ASG logging through BOSH property