Releases: antrea-io/antrea
Releases · antrea-io/antrea
Antrea v1.13.3
Fixed
- Update
Install-WindowsCNI-Containerd.ps1
script to make it compatible with containerd 1.7. (#5528, @NamanAg30) - Store NetworkPolicy in filesystem as fallback data source to let antrea-agent fallback to use the files if it can't connect to antrea-controller on startup. (#5739, @tnqn)
- Support Local ExternalTrafficPolicy for Services with ExternalIPs when Antrea proxyAll mode is enabled. (#5795, @tnqn)
- Enable Pod network after realizing initial NetworkPolicies to avoid traffic from/to Pods bypassing NetworkPolicy when antrea-agent restarts. (#5777, @tnqn)
- Fix Clean-AntreaNetwork.ps1 invocation in Prepare-AntreaAgent.ps1 for containerized OVS on Windows. (#5859, @antoninbas)
- Fix
antctl trace-packet
command failure which is caused by arguments missing issue. (#5838, @luolanzone) - Skip enforcement of ingress NetworkPolicies rules for hairpinned Service traffic (Pod accessing itself via a Service). (#5687 #5705, @GraysonWu)
- Set net.ipv4.conf.antrea-gw0.arp_announce to 1 to fix an ARP request leak when a Node or hostNetwork Pod accesses a local Pod and AntreaIPAM is enabled. (#5657, @gran-vmv)
- Add DHCP IP retries in PrepareHNSNetwork on Windows to fix the potential race condition issue where acquiring a DHCP IP address may fail after CreateHNSNetwork. (#5819, @XinShuYang)
Antrea v1.12.3
Fixed
- Update
Install-WindowsCNI-Containerd.ps1
script to make it compatible with containerd 1.7. (#5528, @NamanAg30) - Store NetworkPolicy in filesystem as fallback data source to let antre-agent fallback to use the files if it can't connect to antrea-controller on startup. (#5739, @tnqn)
- Support Local ExternalTrafficPolicy for Services with ExternalIPs when Antrea proxyAll mode is enabled. (#5795, @tnqn)
- Enable Pod network after realizing initial NetworkPolicies to avoid traffic from/to Pods bypassing NetworkPolicy when antrea-agent restarts. (#5777, @tnqn)
- Fix a deadlock issue in NetworkPolicy Controller which causes a FQDN resolution failure. (#5566 #5583, @Dyanngg @tnqn)
- Skip enforcement of ingress NetworkPolicies rules for hairpinned Service traffic (Pod accessing itself via a Service). (#5687 #5705, @GraysonWu)
- Set net.ipv4.conf.antrea-gw0.arp_announce to 1 to fix an ARP request leak when a Node or hostNetwork Pod accesses a local Pod and AntreaIPAM is enabled. (#5657, @gran-vmv)
- Fix
antctl tf
CLI failure when the Traceflow is using an IPv6 address. (#5588, @Atish-iaf) - Fix NetworkPolicy span calculation to avoid out-dated data when multiple NetworkPolicies have the same selector. (#5554, @tnqn)
- Fix SSL library downloading failure in Install-OVS.ps1 on Windows. (#5510, @XinShuYang)
- Fix rollback invocation after CmdAdd failure in CNI server. (#5548, @antoninbas)
- Do not apply Egress to traffic destined for ServiceCIDRs to avoid performance issue and unexpected behaviors. (#5495, @tnqn)
- Do not delete IPv6 link-local route in route reconciler to fix cross-Node Pod traffic or Pod-to-external traffic. (#5483, @wenyingd)
Release v1.14.1
Fixed
- Fix the CrashLookBackOff issue when using the UBI-based image. (#5723, @antoninbas)
- Skip enforcement of ingress NetworkPolicies rules for hairpinned Service traffic (Pod accessing itself via a Service). (#5687 #5705, @GraysonWu)
- Set net.ipv4.conf.antrea-gw0.arp_announce to 1 to fix an ARP request leak when a Node or hostNetwork Pod accesses a local Pod and AntreaIPAM is enabled. (#5657, @gran-vmv)
Release v1.13.2
Fixed
- Fix
antctl tf
CLI failure when the Traceflow is using an IPv6 address. (#5588, @Atish-iaf) - Fix a deadlock issue in NetworkPolicy Controller which causes a FQDN resolution failure. (#5566 #5583, @Dyanngg @tnqn)
- Fix NetworkPolicy span calculation to avoid out-dated data when multiple NetworkPolicies have the same selector. (#5554, @tnqn)
- Fix SSL library downloading failure in Install-OVS.ps1 on Windows. (#5510, @XinShuYang)
- Fix rollback invocation after CmdAdd failure in CNI server. (#5548, @antoninbas)
- Do not apply Egress to traffic destined for ServiceCIDRs to avoid performance issue and unexpected behaviors. (#5495, @tnqn)
- Do not delete IPv6 link-local route in route reconciler to fix cross-Node Pod traffic or Pod-to-external traffic. (#5483, @wenyingd)
Release v1.14.0
Note for UBI users: The UBI8-based image tags for this release (antrea/antrea-ubi:v1.14.0
and projects.registry.vmware.com/antrea/antrea-ubi:v1.14.0
) were unusable (Antrea containers will crash immediately on startup) because of a bug and we have decided to delete them from the registries. Please use the tags for release v1.14.1 instead (antrea/antrea-ubi:v1.14.1
and projects.registry.vmware.com/antrea/antrea-ubi:v1.14.1
). Ubuntu-based image tags (antrea/antrea-ubuntu:v1.14.0
and projects.registry.vmware.com/antrea/antrea-ubuntu:v1.14.0
) are unaffected and fully functional.
Added
- Add rate-limit config to Egress to specify the rate limit of north-south egress traffic of this Egress. (#5425, @GraysonWu)
- Add
IPAllocated
andIPAssigned
conditions to Egress status to improve Egress visibility. (#5282, @AJPL88 [@tnqn]) - Add goroutine stack dump in
SupportBundle
for both Antrea Agent and Antrea Controller. (#5538, @aniketraj1947) - Add "X-Load-Balancing-Endpoint-Weight" header to AntreaProxy Service healthcheck. (#5299, [@hongliangl])
- Add log rotation configuration in Antrea Agent config for audit logs. (#5337 #5366, @antoninbas [@mengdie-song])
- Add GroupMembers API Pagination support to Antrea Go clientset. (#5533, [@qiyueyao])
- Add Namespaced Group Membership API for Antrea Controller. (#5380, [@qiyueyao])
- Support Pod secondary interfaces on VLAN network. (#5341 #5365 #5279, [@jianjuns])
- Enable Windows OVS container to run on pristine host environment, without requiring some dependencies to be installed manually ahead of time. (#5440, @NamanAg30)
- Update
Install-WindowsCNI-Containerd.ps1
script to make it compatible with containerd 1.7. (#5528, @NamanAg30) - Add a new all-in-one manifest for the Multi-cluster leader cluster, and update the Multi-cluster user guide. (#5389 #5531, [@luolanzone])
- Clean up auto-generated resources in leader and member clusters when a ClusterSet is deleted, and recreate resources when a member cluster rejoins the ClusterSet. (#5351 #5410, [@luolanzone])
Changed
- Multiple APIs are promoted from beta to GA. The corresponding feature gates are removed from Antrea config files.
- Promote feature gate EndpointSlice to GA. (#5393, [@hongliangl])
- Promote feature gate NodePortLocal to GA. (#5491, [@hjiajing])
- Promote feature gate AntreaProxy to GA, and add an option
antreaProxy.enable
to allow users to disable this feature. (#5401, [@hongliangl])
- Make antrea-controller not tolerate Node unreachable to speed up the failover process. (#5521, [@tnqn])
- Improve
antctl get featuregates
output. (#5314, @cr7258) - Increase the rate limit setting of
PacketInMeter
and the size ofPacketInQueue
. (#5460, @GraysonWu) - Add
hostAliases
to Helm values for Flow Aggregator. (#5386, [@yuntanghsu]) - Decouple Audit logging from AntreaPolicy feature gate to enable logging for NetworkPolicy when AntreaPolicy is disabled. (#5352, [@qiyueyao])
- Change Traceflow CRD validation to webhook validation. (#5230, [@shi0rik0])
- Stop using
/bin/sh
and invoke the binary directly for OVS commands in Antrea Agent. (#5364, @antoninbas) - Install flows for nested Services in
EndpointDNAT
only when Antrea Multi-cluster is enabled. (#5411, [@hongliangl]) - Make rate-limiting of PacketIn messages configurable; the same rate-limit value applies to each feature that is dependent on PacketIn messages (e.g, Traceflow) but the limit is enforced independently for each feature. (#5450, @GraysonWu)
- Change the default flow's action to
drop
inARPSpoofGuardTable
to effectively prevent ARP spoofing. (#5378, [@hongliangl]) - Remove auto-generated suffix from ConfigMap names, and add config checksums as Deployment annotations in Windows manifests, to avoid stale ConfigMaps when updating Antrea while preserving automatic rolling of Pods. (#5545, @Atish-iaf)
- Add a ClusterSet deletion webhook for the leader cluster to reject ClusterSet deletion if there is any MemberClusterAnnounce. (#5475, [@luolanzone])
- Update Go version to v1.21. (#5377, @antoninbas)
Fixed
- Remove the dependency of the MulticastGroup API on the NetworkPolicyStats feature gate, to fix the empty list issue when users run
kubectl get multicastgroups
even when the Multicast is enabled. (#5367, @ceclinux) - Fix
antctl tf
CLI failure when the Traceflow is using an IPv6 address. (#5588, @Atish-iaf) - Fix a deadlock issue in NetworkPolicy Controller which causes a FQDN resolution failure. (#5566 #5583, @Dyanngg [@tnqn])
- Fix NetworkPolicy span calculation to avoid out-dated data when multiple NetworkPolicies have the same selector. (#5554, [@tnqn])
- Use the first matching address when getting Node address to find the correct transport interface. (#5529, [@xliuxu])
- Fix rollback invocation after CmdAdd failure in CNI server and improve logging. (#5548, @antoninbas)
- Add error log when Antrea network's MTU exceeds Suricata's maximum supported value. (#5408, [@hongliangl])
- Do not delete IPv6 link-local route in route reconciler to fix cross-Node Pod traffic or Pod-to-external traffic. (#5483, [@wenyingd])
- Do not apply Egress to traffic destined for ServiceCIDRs to avoid performance issue and unexpected behaviors. (#5495, [@tnqn])
- Unify TCP and UDP DNS interception flows to fix invalid flow matching for DNS responses. (#5392, @GraysonWu)
- Fix the burst setting of the
PacketInQueue
to reduce the DNS response delay when a Pod has any FQDN policy applied. (#5456, [@tnqn]) - Fix SSL library downloading failure in Install-OVS.ps1 on Windows. (#5510, @XinShuYang)
- Do not attempt to join Windows antrea-agents to the memberlist cluster to avoid misleading error logs. (#5434, [@tnqn])
- Fix an issue that antctl proxy is not using the user specified port. (#5435, [@tnqn])
- Enable IPv6 on OVS internal port if needed in bridging mode to fix agent crash issue when IPAM is enabled. (#5409, @antoninbas)
- Fix missing protocol in Service when processing ANP named ports to ensure rule can be enforced correctly in OVS. (#5370, @Dyanngg)
- Fix error log when agent fails to connect to K8s API. (#5353, [@tnqn])
- Fix a bug that ClusterSet status is not updated in Antrea Multi-cluster. (#5338, [@luolanzone])
- Fix an Antrea Controller crash issue in handling empty Pod labels for LabelIdentity when the config enableStretchedNetworkPolicy is enabled for Antrea Multi-cluster. (#5404 #5449, @Dyanngg)
- Always initialize
ovs_meter_packet_dropped_count
metrics to fix a bug that the metrics are not showing up if OVS Meter is not supported on the system. (#5413, [@tnqn]) - Skip starting modules which are not required by VM Agent to fix logs flood due to RBAC warning. (#5391, [@mengdie-song])
Release v1.11.4
Fixed
- Fix a deadlock issue in NetworkPolicy Controller which causes a FQDN resolution failure. (#5566 #5583, @Dyanngg @tnqn)
- Fix NetworkPolicy span calculation to avoid out-dated data when multiple NetworkPolicies have the same selector. (#5554, @tnqn)
- Fix SSL library downloading failure in Install-OVS.ps1 on Windows. (#5510, @XinShuYang)
- Fix rollback invocation after CmdAdd failure in CNI server and improve logging. (#5548, @antoninbas)
- Do not apply Egress to traffic destined for ServiceCIDRs to avoid performance issue and unexpected behaviors. (#5495, @tnqn)
- Do not delete IPv6 link-local route in route reconciler to fix cross-Node Pod traffic or Pod-to-external traffic. (#5483, @wenyingd)
- Fix discovered Service CIDR flapping on Agent start. (#5017, @tnqn)
Release v1.12.2
Changed
- Change the default flow's action to
drop
in ARPSpoofGuardTable to effectively prevent ARP spoofing. (#5378, @hongliangl) - Stop using
/bin/sh
and invoke the binary directly for OVS commands in Antrea Agent. (#5364, @antoninbas) - Increase the rate limit setting of
PacketInMeter
and the size ofPacketInQueue
. (#5460, @GraysonWu) - Revert a change to serve the v1alpha2 version of the ClusterGroup CRD again for the consistent API promotion plan. (#5277, @GraysonWu)
- Upgrade Open vSwitch to 2.17.7. (#5225, @antoninbas)
Fixed
- Fix an Antrea Controller crash issue in handling empty Pod labels for LabelIdentity when the config
enableStretchedNetworkPolicy
is enabled for Antrea Multi-cluster. (#5404 #5449, @Dyanngg) - Remove NetworkPolicyStats dependency of MulticastGroup API to fix the empty list issue when users run
kubectl get multicastgroups
even when the Multicast is enabled. (#5367, @ceclinux) - Do not attempt to join Windows agents to the memberlist cluster to avoid misleading error logs. (#5434, @tnqn)
- Fix the burst setting of the
PacketInQueue
to reduce the DNS response delay when a Pod has any FQDN policy applied. (#5456, @tnqn) - Use OpenFlow group for Network Policy logging to avoid packet drops when massive connections hit the policy. (#5061, @wenyingd)
Release v1.13.1
Changed
- Change the default flow's action to
drop
in ARPSpoofGuardTable to effectively prevent ARP spoofing. (#5378, @hongliangl) - Stop using
/bin/sh
and invoke the binary directly for OVS commands in Antrea Agent. (#5364, @antoninbas) - Increase the rate limit setting of
PacketInMeter
and the size ofPacketInQueue
. (#5460, @GraysonWu)
Fixed
- Fix an Antrea Controller crash issue in handling empty Pod labels for LabelIdentity when the config
enableStretchedNetworkPolicy
is enabled for Antrea Multi-cluster. (#5404 #5449, @Dyanngg) - Remove NetworkPolicyStats dependency of MulticastGroup API to fix the empty list issue when users run
kubectl get multicastgroups
even when the Multicast is enabled. (#5367, @ceclinux) - Fix a bug that ClusterSet status is not updated in Antrea Multi-cluster. (#5338, @luolanzone)
- Always initialize
ovs_meter_packet_dropped_count
metrics to fix a bug that the metrics are not showing up if OVS Meter is not supported on the system. (#5413, @tnqn) - Unify TCP and UDP DNS interception flows to fix invalid flow matching for DNS responses. (#5392, @GraysonWu)
- Fix an issue that antctl proxy is not using the user specified port. (#5435, @tnqn)
- Do not attempt to join Windows agents to the memberlist cluster to avoid misleading error logs. (#5434, @tnqn)
- Fix the burst setting of the
PacketInQueue
to reduce the DNS response delay when a Pod has any FQDN policy applied. (#5456, @tnqn)
Release v1.11.3
Changed
- Change the default flow's action to
drop
in ARPSpoofGuardTable to effectively prevent ARP spoofing. (#5378, @hongliangl) - Stop using
/bin/sh
and invoke the binary directly for OVS commands in Antrea Agent. (#5364, @antoninbas) - Increase the rate limit setting of
PacketInMeter
and the size ofPacketInQueue
. (#5460, @GraysonWu) - Upgrade Open vSwitch to 2.17.7. (#5225, @antoninbas)
Fixed
- Fix IPv4 groups containing IPv6 endpoints mistakenly in dual-stack clusters in AntreaProxy implementation. (#5194, @tnqn)
- Fix ClusterClaim webhook bug to avoid ClusterClaim deletion failure. (#5075, @luolanzone)
- Ensure the Egress IP is always correctly advertised to the network, including when the userspace ARP responder is not running or when the Egress IP is temporarily claimed by multiple Nodes. (#5127, @tnqn)
- Fix status report when no-op changes are applied to Antrea-native policies. (#5096, @tnqn)
- Bump up libOpenflow version to fix a PacketIn response parse error. (#5157, @wenyingd)
- Remove NetworkPolicyStats dependency of MulticastGroup API to fix the empty list issue when users run
kubectl get multicastgroups
even when the Multicast is enabled. (#5367, @ceclinux) - Fix an Antrea Controller crash issue in handling empty Pod labels for LabelIdentity when the config
enableStretchedNetworkPolicy
is enabled for Antrea Multi-cluster. (#5404 #5449, @Dyanngg) - Do not attempt to join Windows agents to the memberlist cluster to avoid misleading error logs. (#5434, @tnqn)
- Fix the burst setting of the
PacketInQueue
to reduce the DNS response delay when a Pod has any FQDN policy applied. (#5456, @tnqn)
Release v1.13.0
Added
- Add AdminNetworkPolicy support in Antrea to align with K8s NetworkPolicy API, and document the introduction and usage. (#5170 #5270, [@Dyanngg])
- Support DSR mode for Service's external addresses in AntreaProxy, including LoadBalancerIPs and ExternalIPs. (#5202 #5251, [@tnqn])
- Containerize Windows userspace OVS processes and run them in a container of the Antrea Agent Pod to align with the Linux design. (#4936 #5052 #5303, [@rajnkamr] @Atish-iaf)
- Add a new option
ContainerRuntime
to allow users to configure the container runtime while using the scriptPrepare-Node.ps1
on K8s Windows Node. (#5071, [@NamanAg30]) - Add support for TLS, HTTP, and HTTPS protocols for FlowAggregator to connect to the ClickHouse DB, and allow users to specify the CA certificate for TLS and HTTPS. (#5171, [@yuntanghsu])
- Enhance Antrea L7 NetworkPolicy to support the TLS protocol. (#4932, [@hongliangl])
- Add command
antctl upgrade api-storage
in antctl to support resource storage version migration for Antrea CRDs. (#5198, [@hongliangl]) - Add support for removing the associated stale conntrack entries when UDP Endpoints are removed, with which UDP requests can be redirected to other Endpoints immediately rather than waiting for the conntrack entries to expire. (#5112, [@hongliangl])
- Add Egress information to flow records for Pod-to-external flows in FlowExporter. (#5088, [@dreamtalen])
- Increase accuracy of Pod information in the flow records by adding a Pod store in FlowExporter and FlowAggregator for them to fetch the Pod information. (#5185, [@yuntanghsu])
- Add support for Service annotation
service.kubernetes.io/topology-mode
in AntreaProxy since the oldservice.kubernetes.io/topology-aware-hints
annotation has been deprecated in Kubernetes 1.27. (#5241, [@mengdie-song]) - Support the well-known label
service.kubernetes.io/service-proxy-name
in AntreaProxy to align with KEP 2447. (#4973, [@hongliangl]) - Add a new Prometheus metric to represent the number of packets dropped by OVS meter. (#5165, [@mengdie-song])
- Add support for the
sort-by
flag in moreantctl get
commands for more fields. (#4346, [@jainpulkit22]) - Add the
kubeAPIServerOverride
option to allow users to override the kube-apiserver address for antrea-controller. (#5056, [@tnqn]) - Add documentation for deploying Antrea with a Rancher cluster. (#4733, [@jainpulkit22])
Changed
- Multiple APIs are promoted from alpha to beta. The alpha versions are deprecated and will be removed in a future release.
- Promote ClusterGroup and Group to v1beta1. (#5181, [@GraysonWu])
- Promote ExternalIPPool API to v1beta1. (#5176, [@hongliangl])
- Promote Tier API to v1beta1. (#5172, [@GraysonWu])
- Promote Egress API to v1beta1. (#5180, [@wenqiq])
- Promote AntreaClusterNetworkPolicy and AntreaNativeNetworkPolicy API to v1beta1. (#5186, [@GraysonWu])
- Promote Traceflow API to v1beta1. (#5108, [@luolanzone])
- Add a validation schema for the matchLabels field of the ExternalIPPool CRD. (#5284, [@tnqn])
- Enable
proxyAll
by default for AntreaProxy on Windows because the kube-proxy userspace datapath has been removed since Kubernetes 1.26. (#4980, [@XinShuYang]) - Change default port range of NodePortLocal on Windows to
40000-41000
to avoid conflicts with the Windows default dynamic port range. (#5107, [@XinShuYang]) - Remove the ClusterClaim CRD and upgrade the ClusterSet CRD version to v1alpha2, and enhance the ClusterSet controller to support ClusterSet version upgrade. (#5001 #5250, [@luolanzone])
- Increase the controller QPS setting in Multi-cluster Controller to improve multi-cluster resource export performance, and increase the LabelIdentity controller worker count to improve its performance. (#5099, [@GraysonWu])
- Improve direct connections to the Antrea apiserver in antctl with accessibility to Node ExternalIP and add a new
--insecure
option to support both secure and insecure connections. (#5135, [@antoninbas]) - Add two new fields to audit logs, including the "direction" of the NP rule (Ingress or Egress) and the reference of the Pod (
<Namespace>/<Name>
) to which the NP rule is applied. (#5101, [@antoninbas]) - Add a FlowExporter configuration toggle to antrea-agent for users to explicitly enable/disable flow exports. (#5021, [@yuntanghsu])
- Add OpenAPI schema for the AntreaAgentInfo and AntreaControllerInfo CRDs. (#5206, [@ceclinux])
- Update short-name for AntreaNetworkPolicy to ANNP. (#5081, [@qiyueyao])
- Use syscall to query or operate network adapters on Windows to reduce operation delay. (#4898, [@wenyingd] [@qiyueyao])
- Update out-of-date audit logs docs for new log fields. (#5199, [@cr7258])
- Switched to structured logging and change verbosity of potentially misleading Info log in the Antrea NetworkPolicy reconciler. (#5048, [@antoninbas])
- Revert a change to serve the v1alpha2 version of the ClusterGroup CRD again for the consistent API promotion plan. (#5277, [@GraysonWu])
- Upgrade Open vSwitch to version 2.17.7. (#5225, [@antoninbas])
- Upgrade Windows Open vSwitch to version 3.0.5. (#5120, [@wenyingd])
- Upgrade ClickHouse go client to v2. (#5020, [@heanlan])
- Remove Antrea Octant plugin. (#5049, [@antoninbas])
Fixed
- Bump up
libOpenflow
andofnet
library versions to fix a PacketIn2 response parse error. (#5154, [@wenyingd]) - Bump up
libOpenflow
library to v0.12.1 to fix an antrea-agent crash issue when marshaling the IGMPv3 query packet. (#5320, [@ceclinux]) - Use OpenFlow group for Network Policy logging to avoid packet drops when massive connections hit the policy. (#5061, [@wenyingd])
- Fix an issue in Antrea-native policies with FQDN rules where TCP src port is unset on the TCP DNS response flow. (#5078, [@wenyingd])
- Fix status report when no-op changes are applied to Antrea-native policies. (#5096, [@tnqn])
- Ensure the Egress IP is always correctly advertised to the network, including when the userspace ARP responder is not running or when the Egress IP is temporarily claimed by multiple Nodes. (#5127, [@tnqn])
- Fix incorrect FlowMod message passing in the modifyFlows function of the OpenFlow client to avoid unexpected flow error. (#5125, [@Dyanngg])
- Fix a bug that antrea-agent fails to delete the ExternalNode CR when it runs on a RHEL 8.4 VM on Azure cloud. (#5191, [@wenyingd])
- Fix IPv4 groups containing IPv6 endpoints mistakenly in dual-stack clusters in AntreaProxy implementation. (#5194, [@tnqn])
- Fix RBAC permissions for the Antctl ClusterRole to ensure the ClusterRole definition is up-to-date. (#5166, [@antoninbas])
- Fix some code examples in a few documentations. (#5182, [@tnqn])
- Add apiVersion and kind for unstructured objects in
antctl mc
codes to fix a rollback failure. (#5138, [@luolanzone]) - Fix a ClusterClaim webhook bug that can lead to ClusterClaim deletion failures. (#5075, [@luolanzone])
- Revise "antctl mc deploy" command to fix a Multi-cluster deployment failure on EKS clusters. (#5080, [@luolanzone])