Merge branch 'main' into antrea-secondary-network-test-sep22

.github/workflows/lifecycle_management.yml

@@ -9,7 +9,7 @@ jobs:
     if: github.repository == 'antrea-io/antrea'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v6
+      - uses: actions/stale@v7
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days'

.github/workflows/process_release.yml

@@ -182,6 +182,15 @@ jobs:
         asset_path: ./assets/antrea-windows.yml
         asset_name: antrea-windows.yml
         asset_content_type: application/octet-stream
+    - name: Upload antrea-windows-containerd.yml
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ github.event.release.upload_url }}
+        asset_path: ./assets/antrea-windows-containerd.yml
+        asset_name: antrea-windows-containerd.yml
+        asset_content_type: application/octet-stream
     - name: Upload flow-aggregator.yml
       uses: actions/upload-release-asset@v1
       env:

CHANGELOG/CHANGELOG-1.10.md

@@ -0,0 +1,73 @@
+# Changelog 1.10
+
+## 1.10.0 - 2022-12-23
+
+### Added
+
+- Add L7NetworkPolicy feature which enables users to protect their applications by specifying how they are allowed to communicate with others, taking into account application context. ([#4380](https://github.com/antrea-io/antrea/pull/4380) [#4406](https://github.com/antrea-io/antrea/pull/4406) [#4410](https://github.com/antrea-io/antrea/pull/4410), [@hongliangl] [@qiyueyao] [@tnqn])
+    * Layer 7 NetworkPolicy can be configured through the `l7Protocols` field of Antrea-native policies.
+    * Refer to [this document](https://github.com/antrea-io/antrea/blob/release-1.10/docs/antrea-l7-network-policy.md) for more information about this feature.
+- Add SupportBundleCollection feature which enables a CRD API for Antrea to collect support bundle files on any K8s Node or ExternalNode, and upload to a user-defined file server. ([#4184](https://github.com/antrea-io/antrea/pull/4184) [#4338](https://github.com/antrea-io/antrea/pull/4338) [#4249](https://github.com/antrea-io/antrea/pull/4249), [@wenyingd] [@mengdie-song] [@ceclinux])
+    * Refer to [this document](https://github.com/antrea-io/antrea/blob/release-1.10/docs/support-bundle-guide.md) for more information about this feature.
+- Add support for NetworkPolicy for cross-cluster traffic. ([#4432](https://github.com/antrea-io/antrea/pull/4432) [#3914](https://github.com/antrea-io/antrea/pull/3914), [@Dyanngg] [@GraysonWu])
+    * Setting `scope` of an ingress peer to `clusterSet` expands the scope of the `podSelector` or `namespaceSelector` to the entire ClusterSet.
+    * Setting `scope` of `toServices` to `clusterSet` selects a Multi-cluster Service. ([#4397](https://github.com/antrea-io/antrea/pull/4397), [@Dyanngg])
+    * Refer to [this document](https://github.com/antrea-io/antrea/blob/release-1.10/docs/multicluster/user-guide.md#networkpolicy-for-cross-cluster-traffic) for more information about this feature.
+- Add the following capabilities to the ExternalNode feature:
+    * Containerized option for antrea-agent installation on Linux VMs. ([#4413](https://github.com/antrea-io/antrea/pull/4413), [@Nithish555])
+    * Support for RHEL 8.4. ([#4323](https://github.com/antrea-io/antrea/pull/4323), [@Nithish555])
+- Add support for running antrea-agent as DaemonSet when using containerd as the runtime on Windows. ([#4279](https://github.com/antrea-io/antrea/pull/4279), [@XinShuYang])
+- Add [documentation](https://github.com/antrea-io/antrea/blob/release-1.10/docs/multicast-guide.md) for Antrea Multicast. ([#4339](https://github.com/antrea-io/antrea/pull/4339), [@ceclinux])
+
+### Changed
+
+- Extend `antctl mc get joinconfig` to print member token Secret. ([#4363](https://github.com/antrea-io/antrea/pull/4363), [@jianjuns])
+- Improve support for Egress in Traceflow. ([#3926](https://github.com/antrea-io/antrea/pull/3926), [@Atish-iaf])
+- Add NodePortLocalPortRange field for AntreaAgentInfo. ([#4379](https://github.com/antrea-io/antrea/pull/4379), [@wenqiq])
+- Use format "namespace/name" as the key for ExternalNode span calculation. ([#4401](https://github.com/antrea-io/antrea/pull/4401), [@wenyingd])
+- Enclose Pod labels with single quotes when uploading CSV record to S3 in the FlowAggregator. ([#4334](https://github.com/antrea-io/antrea/pull/4334), [@dreamtalen])
+- Upgrade Antrea base image to ubuntu 22.04. ([#4459](https://github.com/antrea-io/antrea/pull/4459) [#4499](https://github.com/antrea-io/antrea/pull/4499), [@antoninbas])
+- Update OVS to 2.17.3. ([#4402](https://github.com/antrea-io/antrea/pull/4402), [@mnaser])
+- Reduce confusion caused by transient error encountered when creating static Tiers. ([#4414](https://github.com/antrea-io/antrea/pull/4414), [@tnqn])
+
+### Fixed
+
+- Add a periodic job to rejoin dead Nodes, to fix Egress not working properly after long network downtime. ([#4491](https://github.com/antrea-io/antrea/pull/4491), [@tnqn])
+- Fix potential deadlocks and memory leaks of memberlist maintenance in large-scale clusters. ([#4469](https://github.com/antrea-io/antrea/pull/4469), [@wenyingd])
+- Fix connectivity issues caused by MAC address changes with systemd v242 and later. ([#4428](https://github.com/antrea-io/antrea/pull/4428), [@wenyingd])
+- Fix error handling when S3Uploader partially succeeds. ([#4433](https://github.com/antrea-io/antrea/pull/4433), [@heanlan])
+- Fix a ClusterInfo export bug when Multi-cluster Gateway changes. ([#4412](https://github.com/antrea-io/antrea/pull/4412), [@luolanzone])
+- Fix OpenFlow rules not being updated when Multi-cluster Gateway updates. ([#4388](https://github.com/antrea-io/antrea/pull/4388), [@luolanzone])
+- Delete Pod specific VF resource cache when a Pod gets deleted. ([#4285](https://github.com/antrea-io/antrea/pull/4285), [@arunvelayutham])
+- Fix OpenAPI descriptions for AntreaAgentInfo and AntreaControllerInfo. ([#4390](https://github.com/antrea-io/antrea/pull/4390), [@tnqn])
+
+
+[@Atish-iaf]: https://github.com/Atish-iaf
+[@Dyanngg]: https://github.com/Dyanngg
+[@GraysonWu]: https://github.com/GraysonWu
+[@NamanAg30]: https://github.com/NamanAg30
+[@Nithish555]: https://github.com/Nithish555
+[@XinShuYang]: https://github.com/XinShuYang
+[@adwaitni]: https://github.com/adwaitni
+[@antoninbas]: https://github.com/antoninbas
+[@antrea-bot]: https://github.com/antrea-bot
+[@arunvelayutham]: https://github.com/arunvelayutham
+[@bangqipropel]: https://github.com/bangqipropel
+[@ceclinux]: https://github.com/ceclinux
+[@dependabot]: https://github.com/dependabot
+[@dreamtalen]: https://github.com/dreamtalen
+[@heanlan]: https://github.com/heanlan
+[@hjiajing]: https://github.com/hjiajing
+[@hongliangl]: https://github.com/hongliangl
+[@jainpulkit22]: https://github.com/jainpulkit22
+[@jianjuns]: https://github.com/jianjuns
+[@liu4480]: https://github.com/liu4480
+[@luolanzone]: https://github.com/luolanzone
+[@mengdie-song]: https://github.com/mengdie-song
+[@mnaser]: https://github.com/mnaser
+[@qiyueyao]: https://github.com/qiyueyao
+[@tnqn]: https://github.com/tnqn
+[@urharshitha]: https://github.com/urharshitha
+[@wenqiq]: https://github.com/wenqiq
+[@wenyingd]: https://github.com/wenyingd
+[@xliuxu]: https://github.com/xliuxu

CHANGELOG/CHANGELOG-1.7.md

@@ -1,5 +1,22 @@
 # Changelog 1.7
 
+## 1.7.2 - 2022-12-19
+
+### Changed
+- Upgrade Antrea base image to ubuntu 22.04. ([#4459](https://github.com/antrea-io/antrea/pull/4459), [@antoninbas])
+- Add OFSwitch connection check to Agent's liveness probes. ([#4126](https://github.com/antrea-io/antrea/pull/4126), [@tnqn])
+- Improve install_cni_chaining to support updates to CNI config file. ([#4012](https://github.com/antrea-io/antrea/pull/4012), [@antoninbas])
+
+### Fixed
+- Add a periodic job to rejoin dead Nodes to fix Egress not working properly after long network downtime. ([#4491](https://github.com/antrea-io/antrea/pull/4491), [@tnqn])
+- Fix connectivity issues caused by MAC address changes with systemd v242 and later. ([#4428](https://github.com/antrea-io/antrea/pull/4428), [@wenyingd])
+- Fix potential deadlocks and memory leaks of memberlist maintenance in large-scale clusters. ([#4469](https://github.com/antrea-io/antrea/pull/4469), [@wenyingd])
+- Fix Windows AddNodePort parameter error. ([#4103](https://github.com/antrea-io/antrea/pull/4103), [@XinShuYang])
+- Set no-flood config with ports for TrafficControl after Agent restarting. ([#4318](https://github.com/antrea-io/antrea/pull/4318), [@hongliangl])
+- Fix multicast group not removed from cache when it is uninstalled. ([#4176](https://github.com/antrea-io/antrea/pull/4176), [@wenyingd])
+- Remove redundant Openflow messages when syncing an updated group to OVS. ([#4160](https://github.com/antrea-io/antrea/pull/4160), [@hongliangl])
+- Fix Antrea Octant plugin build. ([#4107](https://github.com/antrea-io/antrea/pull/4107), [@antoninbas])
+
 ## 1.7.1 - 2022-07-14
 
 ### Fixed

CHANGELOG/README.md

@@ -10,6 +10,7 @@ stages](https://github.com/kubernetes/community/blob/master/contributors/devel/s
 Some experimental features can be enabled / disabled using [Feature
 Gates](../docs/feature-gates.md).
 
+- [CHANGELOG-1.10](CHANGELOG-1.10.md)
 - [CHANGELOG-1.9](CHANGELOG-1.9.md)
 - [CHANGELOG-1.8](CHANGELOG-1.8.md)
 - [CHANGELOG-1.7](CHANGELOG-1.7.md)

Makefile

@@ -12,14 +12,16 @@ OVS_VERSION        := $(shell head -n 1 build/images/deps/ovs-version)
 GO_VERSION         := $(shell head -n 1 build/images/deps/go-version)
 CNI_BINARIES_VERSION := $(shell head -n 1 build/images/deps/cni-binaries-version)
 NANOSERVER_VERSION := $(shell head -n 1 build/images/deps/nanoserver-version)
+BUILD_TAG          := $(shell build/images/build-tag.sh)
 WIN_BUILD_TAG      := $(shell echo $(GO_VERSION) $(CNI_BINARIES_VERSION) $(NANOSERVER_VERSION)|md5sum|head -c 10)
 GIT_HOOKS := $(shell find hack/git_client_side_hooks -type f -print)
 DOCKER_NETWORK     ?= default
 TRIVY_TARGET_IMAGE ?=
 
-DOCKER_BUILD_ARGS = --build-arg OVS_VERSION=$(OVS_VERSION)
+DOCKER_BUILD_ARGS := --build-arg OVS_VERSION=$(OVS_VERSION)
 DOCKER_BUILD_ARGS += --build-arg GO_VERSION=$(GO_VERSION)
-WIN_BUILD_ARGS = --build-arg GO_VERSION=$(GO_VERSION)
+DOCKER_BUILD_ARGS += --build-arg BUILD_TAG=$(BUILD_TAG)
+WIN_BUILD_ARGS := --build-arg GO_VERSION=$(GO_VERSION)
 WIN_BUILD_ARGS += --build-arg CNI_BINARIES_VERSION=$(CNI_BINARIES_VERSION)
 WIN_BUILD_ARGS += --build-arg NANOSERVER_VERSION=$(NANOSERVER_VERSION)
 WIN_BUILD_ARGS += --build-arg WIN_BUILD_TAG=$(WIN_BUILD_TAG)

VERSION

@@ -1 +1 @@
-v1.10.0-dev
+v1.11.0-dev

build/charts/antrea/README.md

@@ -1,6 +1,6 @@
 # antrea
 
-![Version: 1.10.0-dev](https://img.shields.io/badge/Version-1.10.0--dev-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+![Version: 1.11.0-dev](https://img.shields.io/badge/Version-1.11.0--dev-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
 
 Kubernetes networking based on Open vSwitch
 
@@ -84,7 +84,8 @@ Kubernetes: `>= 1.16.0-0`
 | logVerbosity | int | `0` |  |
 | multicast.igmpQueryInterval | string | `"125s"` | The interval at which the antrea-agent sends IGMP queries to Pods. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". |
 | multicast.multicastInterfaces | list | `[]` | Names of the interfaces on Nodes that are used to forward multicast traffic. |
-| multicluster.enable | bool | `false` | Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. This feature is supported only with encap mode. |
+| multicluster.enableGateway | bool | `false` | Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. This feature is supported only with encap mode. |
+| multicluster.enableStretchedNetworkPolicy | bool | `false` | Enable Multi-cluster NetworkPolicy. Multi-cluster Gateway must be enabled to enable StretchedNetworkPolicy. |
 | multicluster.namespace | string | `""` | The Namespace where Antrea Multi-cluster Controller is running. The default is antrea-agent's Namespace. |
 | noSNAT | bool | `false` | Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. |
 | nodeIPAM.clusterCIDRs | list | `[]` | CIDR ranges to use when allocating Pod IP addresses. |
@@ -97,6 +98,12 @@ Kubernetes: `>= 1.16.0-0`
 | nodePortLocal.portRange | string | `"61000-62000"` | Port range used by NodePortLocal when creating Pod port mappings. |
 | ovs.bridgeName | string | `"br-int"` | Name of the OVS bridge antrea-agent will create and use. |
 | ovs.hwOffload | bool | `false` | Enable hardware offload for the OVS bridge (required additional configuration). |
+| secondaryNetwork.ovs.datapathType | string | `"system"` | 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run OVS in userspace mode. Userspace mode requires the tun device driver to be available. |
+| secondaryNetwork.ovs.enable | bool | `false` | Enable OVS bridge configuration for secondary network. |
+| secondaryNetwork.ovs.integrationBridgeName | string | `"br-secnet-int"` | Secondary network OVS integration bridge name. |
+| secondaryNetwork.ovs.patchPort | string | `"br-secnet-patch0"` | Name of the OVS patch port which connects the integration and transport bridge. |
+| secondaryNetwork.ovs.transportBridgeName | string | `"br-secnet-trans"` | Secondary network OVS transport bridge name. |
+| secondaryNetwork.tunnelType | string | `"geneve"` | Tunnel protocol used for encapsulating traffic across Nodes. It must be one of "geneve", "vxlan", "gre", "stt". |
 | serviceCIDR | string | `""` | IPv4 CIDR range used for Services. Required when AntreaProxy is disabled. |
 | serviceCIDRv6 | string | `""` | IPv6 CIDR range used for Services. Required when AntreaProxy is disabled. |
 | testing.coverage | bool | `false` |  |

build/charts/antrea/conf/antrea-agent.conf

@@ -49,8 +49,7 @@ featureGates:
 # Enable multicast traffic.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Multicast" "default" false) }}
 
-# Enable Antrea Multi-cluster Gateway to support cross-cluster traffic.
-# This feature is supported only with encap mode.
+# Enable Antrea Multi-cluster features.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Multicluster" "default" false) }}
 
 # Enable support for provisioning secondary network interfaces for Pods (using
@@ -70,6 +69,10 @@ featureGates:
 # Enable collecting support bundle files with SupportBundleCollection CRD.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "SupportBundleCollection" "default" false) }}
 
+# Enable users to protect their applications by specifying how they are allowed to communicate with others, taking
+# into account application context.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "L7NetworkPolicy" "default" false) }}
+
 # Name of the OpenVSwitch bridge antrea-agent will create and use.
 # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
 ovsBridge: {{ .Values.ovs.bridgeName | quote }}
@@ -329,8 +332,37 @@ multicluster:
 {{- with .Values.multicluster }}
 # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic.
 # This feature is supported only with encap mode.
-  enable: {{ .enable }}
+  enableGateway: {{ .enableGateway }}
 # The Namespace where Antrea Multi-cluster Controller is running.
 # The default is antrea-agent's Namespace.
   namespace: {{ .namespace | quote }}
+# Enable Multi-cluster NetworkPolicy (ingress rules).
+# Multi-cluster Gateway must be enabled to enable StretchedNetworkPolicy.
+  enableStretchedNetworkPolicy: {{ .enableStretchedNetworkPolicy }}
+{{- end }}
+
+{{- if .Values.featureGates.SecondaryNetwork }}
+
+secondaryNetwork:
+{{- with .Values.secondaryNetwork }}
+  # OVS bridge configuration for secondary network.
+  ovs:
+    # Enable OVS bridge configuration for secondary network.
+    enable: {{ .ovs.enable }}
+    # Secondary network OVS integration bridge name. Ensure it doesn't conflict with your existing OpenVSwitch bridges.
+    integrationBridgeName: {{ .ovs.integrationBridgeName | quote }}
+    # Secondary network OVS transport bridge name. Ensure it doesn't conflict with your existing OpenVSwitch bridges.
+    transportBridgeName: {{ .ovs.transportBridgeName | quote }}
+    # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
+    # - system
+    # - netdev
+    # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
+    # OVS in userspace mode. Userspace mode requires the tun device driver to be available.
+    datapathType: {{ .ovs.datapathType | quote }}
+    # Name of the OVS patch port which connects the integration and transport bridge.
+    patchPort: {{ .ovs.patchPort | quote }}
+  # Tunnel protocol used for encapsulating traffic across Nodes. It must be one
+  # of "geneve", "vxlan", "gre", "stt".
+  tunnelType: {{ .tunnelType | quote }}
+{{- end }}
 {{- end }}

build/charts/antrea/conf/antrea-controller.conf

@@ -43,9 +43,13 @@ featureGates:
 # Enable collecting support bundle files with SupportBundleCollection CRD.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "SupportBundleCollection" "default" false) }}
 
-# Enable multi-cluster features.
+# Enable Antrea Multi-cluster features.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Multicluster" "default" false) }}
 
+# Enable users to protect their applications by specifying how they are allowed to communicate with others, taking
+# into account application context.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "L7NetworkPolicy" "default" false) }}
+
 # The port for the antrea-controller APIServer to serve on.
 # Note that if it's set to another value, the `containerPort` of the `api` port of the
 # `antrea-controller` container must be set to the same value.
@@ -111,7 +115,6 @@ ipsecCSRSigner:
 
 multicluster:
 {{- with .Values.multicluster }}
-  # Enable Multicluster which allow Antrea-native policies to select peers
-  # from other clusters in a ClusterSet.
-  enable: {{ .enable }}
+  # Enable Multi-cluster NetworkPolicy.
+  enableStretchedNetworkPolicy: {{ .enableStretchedNetworkPolicy }}
 {{- end }}

build/charts/antrea/crds/clusternetworkpolicy.yaml

@@ -638,6 +638,8 @@ spec:
                               type: string
                             namespace:
                               type: string
+                            scope:
+                              type: string
                       name:
                         type: string
                       enableLogging:

build/charts/antrea/crds/networkpolicy.yaml

@@ -553,6 +553,8 @@ spec:
                               type: string
                             namespace:
                               type: string
+                            scope:
+                              type: string
                       name:
                         type: string
                       enableLogging:

build/charts/antrea/crds/traceflow.yaml

@@ -189,6 +189,10 @@ spec:
                               type: string
                             tunnelDstIP:
                               type: string
+                            egressIP:
+                              type: string
+                            egress:
+                              type: string
                 capturedPacket:
                   properties:
                     srcIP:

build/charts/antrea/templates/agent/clusterrole.yaml

@@ -213,6 +213,7 @@ rules:
     - multicluster.crd.antrea.io
     resources:
     - clusterinfoimports
+    - labelidentities
     verbs:
     - get
     - list