Release v0.10.0
antoninbas
released this
25 Sep 05:45
·
41 commits
to release-0.10
since this release
Includes all the bug fixes from 0.9.1, 0.9.2 and 0.9.3.
Starting with Antrea 0.10.0, K8s version >= 1.16 is required.
Added
- Add Antrea NetworkPolicy CRD API to define namespaced security policies which support additional features compared to K8s NetworkPolicies. (#1117 #1194, @Dyanngg @abhiraut) [Alpha - Feature Gate:
AntreaPolicy
]- The
ClusterNetworkPolicy
Feature Gate has been removed,AntreaPolicy
is used for both Antrea NetworkPolicies and ClusterNetworkPolicies - Refer to the Antrea Policy CRDs documentation for information
- The
- Add "v1alpha1.stats.antrea.tanzu.vmware.com" API to query traffic statistics about NetworkPolicies (number of sessions / packets / bytes which are allowed or denied). (#1172 #1221 #1140, @tnqn @weiqiangt) [Alpha - Feature Gate:
NetworkPolicyStats
]- The stats are aggregated from each Antrea Agent using an internal API in "controlplane.antrea.tanzu.vmware.com"
- Add ability for users to define their own policy tiers using a Tier CRD. (#926 #1237 #1260 #1290, @abhiraut @Dyanngg)
- The 5 static tiers introduced in 0.9.x are mapped to read-only CRDs, in order to provide backwards-compatibility for clusters with existing tiered policies
- Admission webhooks ensure consistency across Tiers, NetworkPolicies and ClusterNetworkPolicies
- Refer to the Antrea Policy CRDs documentation for information
- Support for ExternalEntity: rules in Antrea policies can select labelled non-Pod endpoints (e.g. VMs) which are represented by ExternalEntity CRD resources. (#1084, @Dyanngg @suwang48404)
- Support for querying the list of NetworkPolicies which are applied to a specific Pod, or which select a specific Pod in an ingress / egress rule. (#1116, @jakesokol1 @antoninbas) [Alpha]
- New "/endpoint" API endpoint in Antrea Controller - API may change in future releases
- New "antctl query endpoint" command
- Add Prometheus metrics for the connection tracking table (max size, total number of connections, total number of connections installed by Antrea) when
FlowExporter
is enabled. (#1232, @dreamtalen) - Configure access to Antrea NetworkPolicy and ClusterNetworkPolicy APIs for default cluster roles (admin / edit / view) using aggregated ClusterRoles. (#1206, @abhiraut)
- Configure access to Traceflows API for default cluster roles (admin / edit / view) using aggregated ClusterRoles. (#1231, @abhiraut)
Changed
- Re-introduce legacy "networking.antrea.tanzu.vmware.com" internal API group which was previously removed in 0.9.3, to avoid upgrade issues. (#1243, @tnqn)
- Users can safely upgrade from any 0.9.x release to 0.10.0 without disruption in NetworkPolicy enforcement, assuming the Antrea Controller is upgraded first.
- Use the v1 version of "apiextensions.k8s.io" instead of "v1beta1"; v1 was introduced in K8s 1.15. (#1009, @abhiraut)
- As part of this, the OpenAPI spec used for validation was improved for several of the Antrea CRDs
- Use the v1 version of "rbac.authorization.k8s.io" instead of v1beta1; v1 was introduced in K8s 1.8. (#1274, @abhiraut)
- Change type of some Prometheus metrics from "summary" to "histogram", which may impact consumers of these metrics, which where incorrectly tagged as "STABLE" when they were first introduced. (#1202, @dreamtalen)
- Deprecate "antrea_agent_runtime_info" and "antrea_controller_runtime_info" metrics, which will be removed in 0.11; the same information can now be obtained from the instance label of the target. (#1217, @srikartati)
- Upgrade OVS version to 2.14.0 to pick up some recent patches. (#1121, @lzhecheng)
- Collect additional information in support bundle. (#1145, @wenyingd)
- OVS logs, kubelet logs and host network configuration on Windows Nodes [Windows]
- Description of the ports associated with the OVS bridge
- Restrict read permissions for the OVSDB file persisted on each Node. (#1293, @antoninbas)
- Add more consistent short names for Antrea NetworkPolicies ("anp") and ClusterNetworkPolicies ("acnp"). (#1291, @abhiraut)
- Add reference to the original user-defined policy object in the internal representation of policies computed by the Antrea Controller and served through the "controlplane.antrea.tanzu.vmware.com" internal API. (#1258, @tnqn)
- Remove dependency on "github.com/goccy/go-graphviz" in the Traceflow UI implementation: usage of cgo was creating issues when cross-compiling assets and some of the module's dependencies were distributed under copyleft licenses. (#1127, @ZhangYW18)
- Remove
serviceCIDR
Agent configuration parameter from Antrea manifests destined to public cloud K8s services (AKS, EKS, GKE) to avoid confusion: AntreaProxy is always enabled for those, which means that the parameter is not needed and will be ignored if provided. (#1177, @jianjuns) - Add status message in Traceflow UI for running Traceflow requests. (#1277, @ZhangYW18)
- Optimize flow priority assignment for Antrea Policies when the Agent restarts. (#1105, @Dyanngg)