antrea

Added

• Add Antrea Multi-cluster feature which allows users to export and import Services and Endpoints across multiple clusters within a ClusterSet, and enables inter-cluster Service communication in the ClusterSet. (#3199, @luolanzone @aravindakidambi @bangqipropel @hjiajing @Dyanngg @suwang48404 @abhiraut) [Alpha]
  • Refer to Antrea Multi-cluster Installation to get started
  • Refer to Antrea Multi-cluster Architecture for more information regarding the implementation
• Add support for multicast that allows forwarding multicast traffic within the cluster network (i.e., between Pods) and between the external network and the cluster network. (#2652 #3142 #2835 #3171 #2986, @wenyingd @ceclinux @XinShuYang) [Alpha - Feature Gate: Multicast]
  • In this release the feature is only supported on Linux Nodes for IPv4 traffic in noEncap mode
• Add support for IPPool and IP annotations on Pod and PodTemplate of Deployment and StatefulSet in AntreaIPAM mode. (#3093 #3042 #3141 #3164 #3146, @gran-vmv @annakhm)
  • IPPool annotation on Pod has a higher priority than the IPPool annotation on Namespace
  • A StatefulSet Pod's IP will be kept after Pod restarts when the IP is allocated from IPPool
  • Refer to Antrea IPAM Capabilities for more information
• Add support for SR-IOV secondary network. Antrea can now create secondary network interfaces for Pods using SR-IOV VFs on bare metal Nodes. (#2651, @arunvelayutham) [Alpha - Feature Gate: SecondaryNetwork]
• Add support for allocating external IPs for Services of type LoadBalancer from an ExternalIPPool. (#3147 @Shengkai2000) [Alpha - Feature Gate: ServiceExternalIP]
• Add support for antctl in the flow aggregator Pod. (#2878, @yanjunz97)
  • Support antctl log-level for changing log verbosity level
  • Support antctl get flowrecords [-o json] for dumping flow records
  • Support antctl get recordmetrics for dumping flow records metrics
• Add support for the "Pass" action in Antrea-native policies to skip evaluation of further Antrea-native policy rules and delegate evaluation to Kubernetes NetworkPolicy. (#2964, @Dyanngg)
• Add user documentation for using Project Antrea with Fluentd in order to collect audit logs from each Node. (#2853, @qiyueyao)
• Add user documentation for deploying Antrea on AKS Engine. (#2963, @jianjuns)
• Improve NodePortLocal documentation to list supported Service types and add information about existing integrations with external Load Balancers. (#3113, @antoninbas)
• Document how to run Antrea e2e tests on an existing K8s cluster (#3045, @xiaoxiaobaba)

Changed

• Make LoadBalancer IP proxying configurable for AntreaProxy to support scenarios in which it is desirable to send Pod-to-ExternalIP traffic to the external LoadBalancer. (#3130, @antoninbas)
• Add startTime to the Traceflow Status to avoid issues caused by clock skew. (#2952, @antoninbas)
• Add reason field in antctl traceflow command output. (#3175, @Jexf)
• Validate serviceCIDR configuration only if AntreaProxy is disabled. (#2936, @wenyingd)
• Improve configuration parameter validation for NodeIPAM. (#3009, @tnqn)
• More comprehensive validation for Antrea-native policies. (#3104 #3109, @GraysonWu @tnqn)
• Update Antrea Octant plugin to support Octant 0.24 and to use the Dashboard client to perform CRUD operations on Antrea CRDs. (#2951, @antoninbas)
• Omit hostNetwork Pods when computing members of ClusterGroup and AddressGroup. (#3080, @Dyanngg)
• Support for using an env parameter ALLOW_NO_ENCAP_WITHOUT_ANTREA_PROXY to allow running Antrea in noEncap mode without AntreaProxy. (#3116, @Jexf @WenzelZ)
• Move throughput calculation for network flow visibility from logstash to flow-aggregator. (#2692, @heanlan)
• Add Go version information to full version string for Antrea binaries. (#3182, @antoninbas)
• Improve kind-setup.sh script and Kind documentation. (#2937, @antoninbas)
• Enable Go benchmark tests in CI. (#3004, @wenqiq)
• Upgrade Windows OVS version to 2.15.2 to pick up some recent patches. (#2996, @lzhecheng) [Windows]
• Remove HNSEndpoint only if infra container fails to create. (#2976, @lzhecheng) [Windows]
• Use OVS Port externalIDs instead of HNSEndpoint to cache the externalIDS when using containerd as the runtime on Windows. (#2931, @wenyingd) [Windows]
• Reduce network downtime when starting antrea-agent on Windows Node by using Windows management virtual network adapter as OVS internal port. (#3067, @wenyingd) [Windows]

Fixed

• Fix error handling of the "Reject" action of Antrea-native policies when determining if the packet belongs to Service traffic. (#3010, @GraysonWu)
• Make the "Reject" action of Antrea-native policies work in AntreaIPAM mode. (#3003, @GraysonWu)
• Set ClusterGroup with child groups to groupMembersComputed after all its child groups are created and processed. (#3030, @Dyanngg)
• Fix status report of Antrea-native policies with multiple rules that have different AppliedTo. (#3074, @tnqn)
• Fix typos and improve the example YAML in antrea-network-policy doc. (#3079, #3092, #3108 @antoninbas @Jexf @tnqn)
• Fix duplicated attempts to delete unreferenced AddressGroups when deleting Antrea-native policies. (#3136, @Jexf)
• Add retry to update NetworkPolicy status to avoid error logs. (#3134, @Jexf)
• Fix NetworkPolicy resources dump for Agent's supportbundle. (#3083, @antoninbas)
• Use go 1.17 to build release assets. (#3007, @antoninbas)
• Restore the gateway route automatically configured by kernel when configuring IP address if it is missing. (#2835, @antoninbas)
• Fix incorrect parameter used to check if a container is the infra container, which caused errors when reattaching HNS Endpoint. (#3089, @XinShuYang) [Windows]
• Fix gateway interface MTU configuration error on Windows. (#3043, @[lzhecheng]) [Windows]
• Fix initialization error of antrea-agent on Windows by specifying hostname explicitly in VMSwitch commands. (#3169, @XinShuYang) [Windows]

The NodePortLocal feature is graduated from Alpha to Beta.

Added

• Support for proxying all Service traffic by Antrea Proxy, including NodePort, LoadBalancer, and ClusterIP traffic. Therefore, running kube-proxy is no longer required. (#2599 #2235 #2897 #2863, @hongliangl @lzhecheng)
  • The feature works for both Linux and Windows
  • The feature is experimental and therefore disabled by default. Use the antreaProxy.proxyAll configuration parameter for the Antrea Agent to enable it
  • If kube-proxy is removed, the kubeAPIServerOverride configuration parameter for the Antrea Agent must be set to access kube-apiserver directly
• Add AntreaIPAM feature that allows flexible control over Pod IP Addressing by assigning pools of IP addresses to specific Namespaces. (#2956, @gran-vmv @annakhm)
  • Add new IPPool API to define ranges of IP addresses which can be used as Pod IPs; the IPs in the IPPools must be in the same "underlay" subnet as the Node IP
  • A Pod's IP will be allocated from the IPPool specified by the ipam.antrea.io/ippools annotation of the Pod's Namespace if there is one
  • When the feature is enabled, the Node's network interface will be connected to the OVS bridge, in order to forward cross-Node traffic of AntreaIPAM Pods through the underlay network
  • Refer to the feature documentation for more information
• Add NodeIPAM feature to handle the per-Node PodCIDR allocation for clusters where kube-controller-manager does not run NodeIPAMController. (#1561, @ksamoray)
  • Refer to the feature documentation for instructions on how to configure it
• Support for configurable transport interface CIDRs for Pod traffic. (#2704, @Jexf)
  • Use the transportInterfaceCIDRs configuration parameter for the Antrea Agent to choose an interface by network CIDRs
• Add UDP support for NodePortLocal. (#2448, @chauhanshubham)
• Add the nodePortLocal.enable configuration parameter for the Antrea Agent to enable NodePortLocal. (#2924, @antoninbas)
• Add more visibility metrics to report the connection status of the Antrea Agent to the Flow Aggregator. (#2668, @zyiou)
• Add the antreaProxy.skipServices configuration parameter for the Antrea Agent to specify Services which should be ignored by AntreaProxy. (#2882, @luolanzone)
  • A typical use case is setting antreaProxy.skipServices to ["kube-system/kube-dns"] to make NodeLocal DNSCache work when AntreaProxy is enabled
• Add support for ToServices in the rules of Antrea-native policies to allow matching traffic intended for Services. (#2755, @GraysonWu)
• Add the egress.exceptCIDRs configuration parameter for the Antrea Agent, to specify IP destinations for which SNAT should not be performed on outgoing traffic. (#2749, @leonstack)
• Add user documentation for WireGuard encryption. (#2902, @jianjuns)
• Add user documentation for encap mode installation for EKS. (#2929, @jianjuns)

Changed

• Remove chmod for OVSDB file from start_ovs, as the permissions are set correctly by OVS 2.15.1. (#2803, @antoninbas)
• Reduce memory usage of antctl when collecting supportbundle. (#2813, @tnqn)
• Do not perform SNAT for egress traffic to Kubernetes Node IPs. (#2762, @leonstack)
• Send gratuitous ARP for EgressIP via the transport interface, as opposed to the interface with Node IP (if they are different). (#2845, @Jexf)
• Ignore hostNetwork Pods selected by Egress, as they are not supported. (#2851, @Jexf)
• Avoid duplicate processing of Egress. (#2884, @Jexf)
• Ignore the IPs of kube-ipvs0 for Egress as they cannot be used for SNAT. (#2930, @Jexf)
• Change flow exporter export expiry mechanism to priority queue based, to reduce CPU usage and memory footprint. (#2360, @heanlan)
• Make Pod labels optional in the flow records. By default, they will not be included in the flow records. Use the recordContents.podLabels configuration parameter for the Flow Aggregator to include them. (#2739, @yanjunz97)
• Wait for AntreaProxy to be ready before accessing any K8s Service if antreaProxy.proxyAll is enabled, to avoid connection issues on Agent startup. (#2858, @tnqn)
• Update OVS pipeline documentation to include information about AntreaProxy. (#2725, @hongliangl)
• Remove offensive words from scripts and documentation. (#2799, @xiaoxiaobaba)
• Use readable names for OpenFlow tables. (#2585, @wenyingd)
• Improve the OpenAPI schema for CRDs to validate the matchExpressions field. (#2887, @wenqiq)
• Fail fast if the source Pod for non-live-traffic Traceflow is invalid. (#2736, @gran-vmv)
• Use the RenewIPConfig parameter to indicate whether to renew ipconfig on the host for Clean-AntreaNetwork.ps1. It defaults to false. (#2955, @wenyingd) [Windows]
• Add Windows task delay up to 30s to improve job resiliency of Prepare-AntreaAgent.ps1, to avoid a failure in initialization after Windows startup. (#2864, @perithompson) [Windows]

Fixed

• Fix nil pointer error when antrea-agent updates OpenFlow priorities of Antrea-native policies without Service ports. (#2730, @wenyingd)
• Fix panic in the Antrea Controller when it processes ClusterGroups that are used by multiple ClusterNetworkPolicies. (#2768, @tnqn)
• Fix an issue with NodePortLocal when a given Pod port needs to be exposed for both TCP and UDP. (#2903, @antoninbas)
• Fix handling of the "Reject" action of Antrea-native policies when the traffic is intended for Services. (#2772, @GraysonWu)
• Fix Agent crash when removing the existing NetNat on Windows Nodes. (#2751, @wenyingd) [Windows]
• Fix container network interface MTU configuration error when using containerd as the runtime on Windows. (#2778, @wenyingd) [Windows]
• Fix path to Prepare-AntreaAgent.ps1 in Windows docs. (#2840, @perithompson) [Windows]
• Fix NetNeighbor Powershell error handling. (#2905, @lzhecheng) [Windows]

Changed

• Support returning partial supportbundle results when some Nodes fail to respond. (#2788, @hangyan)
• Remove restriction that only GRE tunnels can be used when enabling IPsec: VXLAN can also be used, and so can Geneve (if the Linux kernel version for the Nodes is recent enough). (#2764, @luolanzone)
• Reduce memory usage of antctl when collecting supportbundle. (#2821, @tnqn)

Fixed

• Fix nil pointer error when collecting a supportbundle on a Node for which the antrea-agent container image does not include "iproute2"; this does not affect the standard antrea/antrea-ubuntu container image. (#2789, @liu4480)
• When creating an IPsec OVS tunnel port to a remote Node, handle the case where the port already exists but with a stale config graciously: delete the existing port first, then recreate it. (#2765, @luolanzone)
• Fix panic in the Antrea Controller when it processes ClusterGroups that are used by multiple ClusterNetworkPolicies. (#2768, @tnqn)
• Fix nil pointer error when antrea-agent updates OpenFlow priorities of Antrea-native policies without Service ports. (#2758, @wenyingd)
• Fix Pod-to-Service access on Windows when the Endpoints are not non-hostNetwork Pods (e.g. the kubernetes Service). (#2702, @wenyingd) [Windows]
• Fix container network interface MTU configuration error when using containerd as the runtime on Windows. (#2773, @wenyingd) [Windows]

Added

• Add ability to use Fully Qualified Domain Names (FQDNs) in egress policy rules when defining Antrea-native policies: both exact matches and wildcards are supported. (#2613 #2634 #2667 #2623 #2691, @Dyanngg @antoninbas @GraysonWu @madhukark @lzhecheng)
• Add support for WireGuard to encrypt inter-Node Pod traffic (as an alternative to IPsec); traffic mode must be set to encap and the "tunnelType" option will be ignored. (#2297 #2697, @xliuxu @tnqn)
• Support for configurable transport interface for Pod traffic. (#2370, @wenyingd)
  • Use the "transportInterface" configuration parameter for the Antrea Agent to choose an interface by name; the default behavior is unchanged (interface to which the K8s Node IP is assigned is used)
  • On Windows, SNAT is now performed by the host and no longer by OVS, to accommodate for this change [Windows]
• Support for dual-stack transport interfaces (the IPv4 and IPv6 addresses have to be assigned to the same interface); this in turn enables support for the noEncap traffic mode in dual-stack clusters. (#2436, @lzhecheng)
• Add Status field to the ExternalIPPool CRD: it is used to report usage information for the pool (total number of IPs in the pool and number of IPs that are currently assigned). (#2490, @wenqiq)
• Add Egress support for IPv6 and dual-stack clusters. (#2196 #2655, @wenqiq)
• Add ability to filter logs by timestamp with the "antctl supportbundle" command. (#2389, @hangyan @weiqiangt)
• Support for IPv6 / dual-stack Kind clusters. (#2415, @adobley @christianang @gwang550)
• Add support for sending JSON records from the Flow Aggregator instead of IPFIX records (which is still the default), as it can achieve better performance with Logstash. (#2559, @zyiou)
• Support "--sort-by" flag for "antctl get networkpolicy" in Agent mode. (#2604, @antoninbas)

Changed

• Remove the restriction that a ClusterGroup must exist before it can be used as a child group to define other ClusterGroups. (#2443, @Dyanngg)
• Remove the restriction that a ClusterGroup must exist before it can be used in an Antrea ClusterNetworkPolicy. (#2478, @Dyanngg @abhiraut)
• Remove "controlplane.antrea.tanzu.vmware.com/v1beta1" API as per our API deprecation policy. (#2528 #2631, @luolanzone)
• Controller responses to ClusterGroup membership queries ("/clustergroupmembers" API) now include the list of IPBlocks when appropriate. (#2577, @Dyanngg @abhiraut)
• Install all Endpoint flows belonging to a Service via a single OpenFlow bundle, to reduce flow installation time when the Agent starts. (#2476, @tnqn)
• Improve the batch installation of NetworkPolicy rules when the Agent starts: only generate flow operations based on final desired state instead of incrementally. (#2479, @tnqn @Dyanngg)
• Use GroupMemberSet.Merge instead of GroupMemberSet.Union to reduce CPU usage and memory footprint in the Agent's policy controller. (#2467, @tnqn)
• When checking for the existence of an iptables chain, stop listing all the chains and searching through them; this change reduces the Agent's memory footprint. (#2458, @tnqn)
• Tolerate more failures for the Agent's readiness probe, as the Agent may stay disconnected from the Controller for a long time in some scenarios. (#2535, @tnqn)
• Remove restriction that only GRE tunnels can be used when enabling IPsec: VXLAN can also be used, and so can Geneve (if the Linux kernel version for the Nodes is recent enough). (#2489, @luolanzone)
• Automatically perform deduplication on NetworkPolicy audit logs for denied connections: all duplicate connections received within a 1 second buffer window will be merged and the corresponding log entry will include the connection count. (#2294 #2578, @qiyueyao)
• Support returning partial supportbundle results when some Nodes fail to respond. (#2399, @hangyan)
• When listing NetworkPolicyStats through the Controller API, return an empty list if the NetworkPolicyStats Feature Gate is disabled, instead of returning an error. (#2386, @PeterEltgroth)
• Update OVS version from 2.14.2 to 2.15.1: the new version fixes Geneve tunnel support in the userspace datapath (used for Kind clusters). (#2515, @antoninbas)
• Update [go-ipfix] to version v0.5.7 to improve overall performance of the FlowExporter feature, and in particular of the Flow Aggregator component. (#2574, @srikartati @zyiou)
• Support pretty-printing for AntreaAgentInfo and AntreaControllerInfo CRDs. (#2572, @antoninbas)
• Improve the process of updating the Status of an Egress resource to report the name of the Node to which the Egress IP is assigned. (#2444, @wenqiq)
• Change the singular name of the ClusterGroup CRD from "group" to "clustergroup". (#2484, @abhiraut)
• Officially-supported Go version is no longer 1.15 but 1.17. (#2609 #2640, @antoninbas)
  • There was a notable change in the implementation of the "ParseIP" and "ParseCIDR" functions, but Antrea users should not be affected; refer to this issue
• Standardize the process of reserving OVS register ranges and defining constant values for them; OVS registers are used to store per-packet information when required to implement specific features. (#2455, @wenyingd)
• Update ELK stack reference configuration to support TCP transport. (#2387, @zyiou)
• Update Windows installation instructions. (#2456, @lzheheng)
• Update Antrea-native policies documentation to reflect the addition of the "kubernetes.io/metadata.name" in upstream K8s. (#2596, @abhiraut)
• Default to containerd as the container runtime in the Vagrant-based test K8s cluster. (#2583, @stanleywbwong)
• Update AllowToCoreDNS example in Antrea-native policies documentation. (#2605, @btrieger)
• Update actions/setup-go to v2 in all Github workflows. (#2517, @MysteryBlokHed)

Fixed

• Fix panic in Agent when calculating the stats for a rule newly added to an existing NetworkPolicy. (#2495, @tnqn)
• Fix bug in iptables rule installation for dual-stack clusters: if a rule was already present for one protocol but not the other, its installation may have been skipped. (#2469, @lzhecheng)
• Fix deadlock in the Agent's FlowExporter, between the export goroutine and the conntrack polling goroutine. (#2429, @srikartati)
• Upgrade OVS version to 2.14.2-antrea.1 for Windows Nodes; this version of OVS is built on top of the upstream 2.14.2 release and also includes a patch to fix TCP checksum computation when the DNAT action is used. (#2549, @lzhecheng) [Windows]
• Handle transient iptables-restore failures (caused by xtables lock contention) in the NodePortLocal initialization logic. (#2555, @antoninbas)
• Query and check the list of features supported by the OVS datapath during Agent initialization: if any required feature is not supported, the Agent will log an error and crash, instead of continuing to run which makes it hard to troubleshoot such issues. (#2571, @tnqn)
• On Linux, wait for the ovs-vswitchd PID file to be ready before running ovs-apptcl commands. (#2695, @tnqn)
• Periodically delete stale connections in the Flow Exporter if they cannot be exported (e.g. because the collector is not available), to avoid running out-of-memory. (#2516, @srikartati)
• Fix handling of the "reject" packets generated by the Antrea Agent in the OVS pipeline, to avoid infinite looping when traffic between two endpoints is rejected by network policies in both directions. (#2579, @GraysonWu)
• Fix Linux kernel version parsing to accommodate for more Linux distributions, in particular RHEL / CentOS. (#2450, @Jexf)
• Fix interface naming for IPsec tunnels: based on Node names, the first char could sometimes be a dash, which is not valid. (#2486, @luolanzone)
• When creating an IPsec OVS tunnel port to a remote Node, handle the case where the port already exists but with a stale config graciously: delete the existing port first, then recreate it. (#2582, @luolanzone)
• Fix the policy information reported by the Flow Exporter when a Baseline Antrea-native policy is applied to the flow. (#2542, @zyiou)
• Clean up log files for the Flow Aggregator periodically: prior to this fix, the "--log_file_max_size" and "--log_file_max_num" command-line flags were ignore for the flow-aggregator Pod. (#2522, @srikartati)
• Fix missing template ID when sending the first IPFIX flow record from the FlowAggregator. (#2546, @zyiou)
• Ensure that the Windows Node name obtained from the environment or from hostname is converted to lower-case. (#2672, @shettyg) [Windows]
• Fix Antrea network clean-up script for Windows; in particular remove Hyper-V binding on network adapter used as OVS uplink so that it can recover its IP address correctly. (#2550, @wenyingd) [Windows]
• Fix reference Logstash configuration to avoid division by zero in throughput calculation. (#2432, @zyiou)
• Fix nil pointer error when collecting a supportbundle on a Node for which the antrea-agent container image does not include "iproute2"; this does not affect the standard antrea/antrea-ubuntu container image. (#2598, @liu4480)

Changed

• Update go-ipfix to version v0.5.7 to improve overall performance of the FlowExporter feature, and in particular of the Flow Aggregator component. (#2574, @srikartati @zyiou)

Fixed

• Handle transient iptables-restore failures (caused by xtables lock contention) in the NodePortLocal initialization logic. (#2555, @antoninbas)
• Fix handling of the "reject" packets generated by the Antrea Agent in the OVS pipeline, to avoid infinite looping when traffic between two endpoints is rejected by network policies in both directions. (#2579, @GraysonWu)
• Fix interface naming for IPsec tunnels: based on Node names, the first char could sometimes be a dash, which is not valid. (#2486, @luolanzone)

Changed

• Improve the batch installation of NetworkPolicy rules when the Agent starts: only generate flow operations based on final desired state instead of incrementally. (#2479, @tnqn)

Fixed

• Fix deadlock when initializing the GroupEntityIndex (in the Antrea Controller) with many groups; this was preventing correct distribution and enforcement of NetworkPolicies. (#2376, @tnqn)
• Use "os/exec" package instead of third-party modules to run PowerShell commands and configure host networking on Windows; this change prevents Agent goroutines from getting stuck when configuring routes. (#2363, @lzhecheng) [Windows]
• Fix panic in Agent when calculating the stats for a rule newly added to an existing NetworkPolicy. (#2495, @tnqn)
• Fix bug in iptables rule installation for dual-stack clusters: if a rule was already present for one protocol but not the other, its installation may have been skipped. (#2469, @lzhecheng)
• Upgrade OVS version to 2.14.2 to pick up security fixes for CVE-2015-8011, CVE-2020-27827 and CVE-2020-35498. (#2451, @antoninbas)

Changed

• Improve the batch installation of NetworkPolicy rules when the Agent starts: only generate flow operations based on final desired state instead of incrementally. (#2479, @tnqn)

Fixed

• Fix deadlock when initializing the GroupEntityIndex (in the Antrea Controller) with many groups; this was preventing correct distribution and enforcement of NetworkPolicies. (#2376, @tnqn)
• Use "os/exec" package instead of third-party modules to run PowerShell commands and configure host networking on Windows; this change prevents Agent goroutines from getting stuck when configuring routes. (#2363, @lzhecheng) [Windows]
• Fix panic in Agent when calculating the stats for a rule newly added to an existing NetworkPolicy. (#2495, @tnqn)
• Upgrade OVS version to 2.14.2 to pick up security fixes for CVE-2015-8011, CVE-2020-27827 and CVE-2020-35498. (#2451, @antoninbas)

Changed

• Install all Endpoint flows belonging to a Service via a single OpenFlow bundle, to reduce flow installation time when the Agent starts. (#2476, @tnqn)
• Improve the batch installation of NetworkPolicy rules when the Agent starts: only generate flow operations based on final desired state instead of incrementally. (#2479, @tnqn)
• Use GroupMemberSet.Merge instead of GroupMemberSet.Union to reduce CPU usage and memory footprint in the Agent's policy controller. (#2467, @tnqn)
• When checking for the existence of an iptables chain, stop listing all the chains and searching through them; this change reduces the Agent's memory footprint. (#2458, @tnqn)
• Tolerate more failures for the Agent's readiness probe, as the Agent may stay disconnected from the Controller for a long time in some scenarios. (#2535, @tnqn)
• When listing NetworkPolicyStats through the Controller API, return an empty list if the NetworkPolicyStats Feature Gate is disabled, instead of returning an error. (#2386, @PeterEltgroth)

Fixed

• Fix panic in Agent when calculating the stats for a rule newly added to an existing NetworkPolicy. (#2495, @tnqn)
• Fix bug in iptables rule installation for dual-stack clusters: if a rule was already present for one protocol but not the other, its installation may have been skipped. (#2469, @lzhecheng)
• Fix deadlock in the Agent's FlowExporter, between the export goroutine and the conntrack polling goroutine. (#2429, @srikartati)
• Upgrade OVS version to 2.14.2 to pick up security fixes for CVE-2015-8011, CVE-2020-27827 and CVE-2020-35498. (#2451, @antoninbas)
• Upgrade OVS version to 2.14.2-antrea.1 for Windows Nodes; this version of OVS is built on top of the upstream 2.14.2 release and also includes a patch to fix TCP checksum computation when the DNAT action is used. (#2549, @lzhecheng) [Windows]
• Periodically delete stale connections in the Flow Exporter if they cannot be exported (e.g. because the collector is not available), to avoid running out-of-memory. (#2516, @srikartati)
• Clean up log files for the Flow Aggregator periodically: prior to this fix, the "--log_file_max_size" and "--log_file_max_num" command-line flags were ignore for the flow-aggregator Pod. (#2522, @srikartati)
• Fix missing template ID when sending the first IPFIX flow record from the FlowAggregator. (#2546, @zyiou)
• Fix reference Logstash configuration to avoid division by zero in throughput calculation. (#2432, @zyiou)

Fixed

• Upgrade OVS version to 2.14.2 to pick up security fixes for CVE-2015-8011, CVE-2020-27827 and CVE-2020-35498. (#2451, @antoninbas)

Fixed

• Use "os/exec" package instead of third-party modules to run PowerShell commands and configure host networking on Windows; this change prevents Agent goroutines from getting stuck when configuring routes. (#2363, @lzhecheng) [Windows]

The NetworkPolicyStats feature is graduated from Alpha to Beta and is therefore enabled by default.

Added

• Add new ExternalIPPool API to define ranges of IP addresses which can be used as Egress SNAT IPs; these IPs are allocated to Nodes according to a nodeSelector, with support for failover if a Node goes down. (#2236 #2237 #2186 #2358 #2345 #2371, @tnqn @wenqiq)
  • Refer to the Egress user documentation for more information
• Use OpenFlow meters on Linux to rate-limit PacketIn messages sent by the OVS datapath to the Antrea Agent. (#2215, @GraysonWu @antoninbas)
• Add K8s labels for the source and destination Pods (when applicable) as IPFIX Information Elements when exporting flow records from the FlowAggregator. (#2240, @dreamtalen)
• Add ability to print Antrea Agent and / or Antrea Controller FeatureGates using antctl, with the "antctl get featuregates" command. (#2082, @luolanzone)
• Add support for running the same Traceflow request again (with the same parameters) from the Antrea Octant plugin. (#2202, @Dhruv-J)
• Add ability for the Antrea Agent to configure SR-IOV secondary network interfaces for Pods (these interfaces are not attached to the OVS bridge); however, there is currently no available API for users to request secondary Pod network interfaces. (#2151, @ramay1)

Changed

• When enabling NodePortLocal on a Service, use the Service's target ports instead of the (optional) container ports for the selected Pods to determine how to configure port forwarding for the Pods. (#2222, @monotosh-avi)
• Update version of the go-ipfix dependency to improve FlowExporter performance. (#2129, @zyiou)
• Remove deprecated API version networking.antrea.tanzu.vmware.com/v1beta1 as per our API deprecation policy. (#2265, @hangyan)
• Show translated source IP address in Traceflow observations when Antrea performs SNAT in OVS. (#2227, @luolanzone)
• Remove unnecessary IPFIX Information Elements from the flow records exported by the FlowAggregator: "originalExporterIPv4Address", "originalExporterIPv6Address" and "originalObservationDomainId". (#2361, @zyiou)
• Ignore non-TCP Service ports in the NodePortLocal implementation and document the restriction that only TCP is supported. (#2396, @antoninbas)
• Drop packets received by the uplink in PREROUTING (using iptables) when using the OVS userspace datapath (Kind clusters), to prevent these packets from being processed by the Node's TCP/IP stack. (#2143, @antoninbas)
• Improve documentation for Antrea-native policies to include information about the "namespaces" field introduced in Antrea v1.1 for the ClusterNetworkPolicy API. (#2271, @abhiraut)

Fixed

• Fix inter-Node ClusterIP Service access when AntreaProxy is disabled. (#2318, @tnqn)
• Fix duplicate group ID allocation in AntreaProxy when using a combination of IPv4 and IPv6 Services in dual-stack clusters; this was causing Service connectivity issues. (#2317, @hongliangl)
• Fix intra-Node ClusterIP Service access when both the AntreaProxy and Egress features are enabled. (#2332, @tnqn)
• Fix deadlock when initializing the GroupEntityIndex (in the Antrea Controller) with many groups; this was preventing correct distribution and enforcement of NetworkPolicies. (#2376, @tnqn)
• Fix implementation of ClusterNetworkPolicy rules with an empty "From" field (for ingress rules) or an empty "To" field (for egress rules). (#2383, @Dyanngg)
• Use "os/exec" package instead of third-party modules to run PowerShell commands and configure host networking on Windows; this change prevents Agent goroutines from getting stuck when configuring routes. (#2363, @lzhecheng) [Windows]
• Fix invalid clean-up of the HNS Endpoint during Pod deletion, when Docker is used as the container runtime. (#2306, @wenyingd) [Windows]
• Fix race condition on Windows when retrieving the local HNS Network created by Antrea for containers. (#2253, @tnqn) [Windows]
• Fix checksum computation error when sending PacketOut messages to OVS. (#2273, @Dyanngg)
• Fix invalid conversion function between internal and versioned types for controlplane API, which was causing JSON marshalling errors. (#2302, @tnqn)
• Fix implementation of the v1beta1 version of the legacy "controlplane.antrea.tanzu.vmware.com" API: the API was incorrectly using some v1beta2 types and it was missing some field selectors. (#2305, @tnqn)
• Verify that the discovered uplink is not virtual when creating the HNSNetwork; if it is, log a better error message. (#2246, @tnqn) [Windows]
• When allocating a host port for NodePortLocal, make sure that the port is available first and reserve it by binding to it. (#2385, @antoninbas)
• Change default port range for NodePortLocal to 61000-62000, in order to avoid conflict with the default ip_local_port_range on Linux. (#2382, @antoninbas)
• Add NamespaceIndex to PodInformer of the NodePortLocal Controller to avoid error logs and slow searches. (#2377, @tnqn)
• When mutating an Antrea-native policy, only set the "PatchType" field in the mutating webhook's response if the "Patch" field is not empty, or the response may not be valid. (#2295, @Dyanngg)
• Populate the "egressNetworkPolicyRuleAction" IPFIX Information Element correctly in the FlowAggregator. (#2228, @zyiou)
• Protect Traceflow state from concurrent access in Antrea Octant plugin (in case of multiple browser sessions). (#2261, @antoninbas)
• Remove assumption that there is a single ovs-vswitchd .ctl file when invoking ovs-appctl from the Antrea Agent. (#2260, @antoninbas)
• Fix file permissions for the whereabouts binary included in the antrea/antrea-ubuntu Docker image. (#2353, @antoninbas)

Fixed

• Fix inter-Node ClusterIP Service access when AntreaProxy is disabled. (#2318, @tnqn)
• Fix duplicate group ID allocation in AntreaProxy when using a combination of IPv4 and IPv6 Services in dual-stack clusters; this was causing Service connectivity issues. (#2317, @hongliangl)
• Fix intra-Node ClusterIP Service access when both the AntreaProxy and Egress features are enabled. (#2332, @tnqn)
• Fix invalid clean-up of the HNS Endpoint during Pod deletion, when Docker is used as the container runtime. (#2306, [@wenyingd]) [Windows]
• Fix race condition on Windows when retrieving the local HNS Network created by Antrea for containers. (#2253, @tnqn) [Windows]
• Fix invalid conversion function between internal and versioned types for controlplane API, which was causing JSON marshalling errors. (#2312, @tnqn)
• Fix implementation of the v1beta1 version of the legacy "controlplane.antrea.tanzu.vmware.com" API: the API was incorrectly using some v1beta2 types and it was missing some field selectors. (#2305, @tnqn)

Fixed

• Fix inter-Node ClusterIP Service access when AntreaProxy is disabled. (#2318, @tnqn)
• Fix duplicate group ID allocation in AntreaProxy when using a combination of IPv4 and IPv6 Services in dual-stack clusters; this was causing Service connectivity issues. (#2317, @hongliangl)
• Fix intra-Node ClusterIP Service access when both the AntreaProxy and Egress features are enabled. (#2332, @tnqn)
• Fix invalid clean-up of the HNS Endpoint during Pod deletion, when Docker is used as the container runtime. (#2306, @wenyingd) [Windows]
• Fix race condition on Windows when retrieving the local HNS Network created by Antrea for containers. (#2253, @tnqn) [Windows]
• Fix invalid conversion function between internal and versioned types for controlplane API, which was causing JSON marshalling errors. (#2312, @tnqn)
• Fix implementation of the v1beta1 version of the legacy "controlplane.antrea.tanzu.vmware.com" API: the API was incorrectly using some v1beta2 types and it was missing some field selectors. (#2305, @tnqn)

Fixed

• Fix inter-Node ClusterIP Service access when AntreaProxy is disabled. (#2318, @tnqn)
• Fix duplicate group ID allocation in AntreaProxy when using a combination of IPv4 and IPv6 Services in dual-stack clusters; this was causing Service connectivity issues. (#2317, @hongliangl)
• Fix invalid clean-up of the HNS Endpoint during Pod deletion, when Docker is used as the container runtime. (#2306, @wenyingd) [Windows]
• Fix race condition on Windows when retrieving the local HNS Network created by Antrea for containers. (#2253, @tnqn) [Windows]
• Fix invalid conversion function between internal and versioned types for controlplane API, which was causing JSON marshalling errors. (#2312, @tnqn)

Added

• Enable "noEncap" and "hybrid" traffic modes for clusters which include Windows Nodes. (#2160 #2161, @lzhecheng @tnqn) [Windows]
  • Each Agent is responsible for annotating its Node resource with the MAC address of the uplink interface, using the "node.antrea.io/mac-address" annotation; the annotation is used to forward Pod traffic
• Add a generic mechanism to define policy rules enforced on all the network endpoints belonging to the same Namespace as the target of the AppliedTo; this makes it very easy to define an Antrea CNP to only allow same-Namespace traffic (Namespace isolation) across all Namespaces in the cluster or a subset of them. (#1961, @Dyanngg)
• Add support for the "Reject" action of Antrea-native policies in the Traceflow observations. (#2032, @gran-vmv)
• Add support for the "endPort" field in K8s NetworkPolicies. (#2190, @GraysonWu)
• Add support for dual-stack Services, which are enabled by default in K8s v1.21, in AntreaProxy. (#2207, @xliuxu)
• Export flow records about connections denied by NetworkPolicies from the FlowExporter and the FlowAggregator; the records include information about the policy responsible for denying the connection when applicable. (#2112, @zyiou)
• Add more NetworkPolicy-related information to IPFIX flow records exported by the FlowAggregator (policy type and rule name). (#2163, @heanlan)
• Add live-traffic Traceflow support to the Antrea Octant plugin, which includes support for displaying the captured packet's headers. (#2124, #2182, @luolanzone)
• Add crd.antrea.io/v1alpha3/ClusterGroup API resource which removes the deprecated "ipBlock" field; a conversion webhook is added to the Controller to convert from the v1alpha2 version to the v1alpha3 version. (#2008, @Dyanngg)
• Add support for providing an IP address as the source for live-traffic Traceflow; the source can also be omitted altogether in which case any source can be a match. (#2068, @jianjuns)
• Add ICMP echo ID and sequence number to the captured packet for live-traffic Traceflow. (#2162, @jianjuns)
• Add support for dumping OVS groups with the "antctl get of" command. (#1984, @jianjuns)
• Add new "antrea_agent_deny_connection_count" Prometheus metric to keep track of the number of connections denied because of NetworkPolicies; if too many connections are denied within a short window of time, the metric may undercount. (#2112, @zyiou)
• Generate and check-in clientset code for ClusterGroupMembers and GroupAssociation, to facilitate consumption of these APIs by third-party software. (#2130, @Dyanngg)
• Document requirements for the Node network (how to configure firewalls, security groups, etc.) when running Antrea. (#2098, @luolanzone)

Changed

• Rename Antrea Go module from github.com/vmware-tanzu/antrea to antrea.io/antrea, using a vanity import path. (#2154, @antoninbas)
• Enable Receive Segment Coalescing (RSC) in the vSwitch on Windows Nodes to reduce host CPU utilization and increase throughput when traffic is not encapsulated. (#2198, @tnqn)
• Change the export mechanism for the FlowAggregator: instead of exporting all flows periodically with a fixed interval, we introduce an "active timeout" and an "inactive timeout", and flow information is exported differently based on flow activity. (#1949, @srikartati)
• Periodically verify the local gateway's configuration and the gateway routes on each Node, and correct any discrepancy. (#2091, @hty690)
• Remove the "enableTLSToFlowAggregator" parameter from the Agent configuration; this information can be provided using the "flowCollectorAddr" parameter. (#2193, @zyiou)
• Specify antrea-agent as the default container for kubectl commands using the "kubectl.kubernetes.io/default-container" annotation introduced in K8s v1.21. (#2065, @tnqn)
• Improve the OpenAPI schema for Antrea-native policy CRDs to enable a more comprehensive validation. (#2125, @wenqiq)
• Bump K8s dependencies (k8s.io/apiserver, k8s.io/client-go, etc.) to v0.21.0 and replace klog with klog/v2. (#1973, @xliuxu)
• Add nodeSelector for FlowAggregator and ELK Pods in YAML manifests: they must run on amd64 Nodes. (#2087, @antoninbas)
• Update reference Kibana configuration to decode the flowType field and display a human-friendly string instead of an integer. (#2102, @zyiou)
• Package whereabouts CNI plugin into the Antrea Linux container image and install the binary on each Node. (#2185, @arunvelayutham)
• Start enabling Antrea end-to-end tests for Windows Nodes. (#2018, @lzhecheng)
• Parameterize K8s download path in Windows helper scripts. (#2174 #2192, @jayunit100 @lzhecheng) [Windows]

Fixed

• It was discovered that the AntreaProxy implementation has an upper-bound for the number of Endpoints it can support for each Service: we increase this upper-bound from ~500 to 800, log a warning for Services with a number of Endpoints greater than 800, and arbitrarily drop some Endpoints so we can still provide load-balancing for the Service. (#2101, @hongliangl)
• Fix Antrea-native policy with multiple AppliedTo selectors: some rules were never realized by the Agents as they thought they had only received partial information from the Controller. (#2084, @tnqn)
• Fix re-installation of the OpenFlow groups when the OVS daemons are restarted to ensure that AntreaProxy keeps functioning. (#2134, @antoninbas)
• Configure the MTU correctly in Windows containers, or Path MTU Discovery fails and datagrams with the minimum size are transmitted leading to poor performance in overlay mode. (#2133, @lzhecheng) [Windows]
• Fix IPFIX flow records exported by the Antrea Agent. (#2089, @zyiou)
  • If a connection spanned multiple export cycles, it wasn't handled properly and no record was sent for the connection
  • If a connection spanned a single export cycle, a single record was sent but "delta counters" were set to 0 which caused flow visualization to omit the flow in dashboards
• Fix incorrect stats reporting for ingress rules of some NetworkPolicies: some types of traffic were bypassing the OVS table keeping track of statistics once the connection was established, causing packet and byte stats to be incorrect. (#2078, @ceclinux)
• Fix ability of the FlowExporter to connect to the FlowAggregator on Windows: the "flow-aggregator.flow-aggregator.svc" DNS name cannot be resolved on Windows because the Agent is running as a process. (#2138, @dreamtalen) [Windows]
• Fix Traceflow for "hairpinned" Service traffic. (#2167, @gran-vmv)
• Fix possible crash in the FlowExporter and FlowAggregator when re-establishing a connection for exporting flow records. (#2039, @srikartati)
• Fix local access (from the K8s Node) to the port of a Pod with NodePortLocal enabled running on the same Node. (#2200, @antoninbas)
• Add conntrack label parsing in the FlowExporter when using the OVS netdev datapath, so that NetworkPolicy information can be populated correctly in flow records. (#2194, @dreamtalen)
• Fix the retry logic when enabling the OVS bridge local interface on Windows Nodes. (#2081, @antoninbas) [Windows]
• Sleep for a small duration before injecting Traceflow packet even when the destination is local, to ensure that flow installation can complete and avoid transient errors. (#2114, @gran-vmv)
• Build antrea-cni binary and release binaries without cgo, to avoid dependencies on system libraries. (#2189, @antoninbas)
• Do not populate hostNetwork Pods into AppliedTo groups sent by the Controller to the Agents to avoid unnecessary logs (NetworkPolicies are not enforced on hostNetwork Pods). (2093, @Dyanngg)
• Fix formatting of K8s code generation tags for Antrea API type declarations, to ensure that auto-generated godocs are rendered correctly. (#2164, @heshengyuan1311)
• Update brew install commands in the documentation for bringing up a local K8s test cluster. (#2074, @RayBB)

Fixed

• It was discovered that the AntreaProxy implementation has an upper-bound for the number of Endpoints it can support for each Service: we increase this upper-bound from ~500 to 800, log a warning for Services with a number of Endpoints greater than 800, and arbitrarily drop some Endpoints so we can still provide load-balancing for the Service. (#2101, @hongliangl)
• Fix Antrea-native policy with multiple AppliedTo selectors: some rules were never realized by the Agents as they thought they had only received partial information from the Controller. (#2084, @tnqn)
• Fix re-installation of the OpenFlow groups when the OVS daemons are restarted to ensure that AntreaProxy keeps functioning. (#2134, @antoninbas)
• Fix audit logging on Windows Nodes: the log directory was not configured properly, causing Agent initialization to fail on Windows when the AntreaPolicy feature was enabled. (#2052, @antoninbas) [Windows]
• Use correct output format for CNI Add in networkPolicyOnly mode: this was not an issue with Docker but was causing failures with containerd. (#2037, @antoninbas @dantingl)
• Fix audit logging of IPv6 traffic for Antrea-native policies: IPv6 packets were ignored by the Agent instead of being parsed and logged to file. (#1990, @antoninbas)
• Fix Status updates for ClusterNetworkPolicies. (#2036, @Dyanngg)

Fixed

• It was discovered that the AntreaProxy implementation has an upper-bound for the number of Endpoints it can support for each Service: we increase this upper-bound from ~500 to 800, log a warning for Services with a number of Endpoints greater than 800, and arbitrarily drop some Endpoints so we can still provide load-balancing for the Service. (#2101, @hongliangl)
• Fix Antrea-native policy with multiple AppliedTo selectors: some rules were never realized by the Agents as they thought they had only received partial information from the Controller. (#2084, @tnqn)
• Fix re-installation of the OpenFlow groups when the OVS daemons are restarted to ensure that AntreaProxy keeps functioning. (#2134, @antoninbas)
• Fix audit logging on Windows Nodes: the log directory was not configured properly, causing Agent initialization to fail on Windows when the AntreaPolicy feature was enabled. (#2052, @antoninbas) [Windows]
• Use correct output format for CNI Add in networkPolicyOnly mode: this was not an issue with Docker but was causing failures with containerd. (#2037, @antoninbas @dantingl)
• Fix audit logging of IPv6 traffic for Antrea-native policies: IPv6 packets were ignored by the Agent instead of being parsed and logged to file. (#1990, @antoninbas)
• Fix Status updates for ClusterNetworkPolicies. (#2036, @Dyanngg)

Fixed

• It was discovered that the AntreaProxy implementation has an upper-bound for the number of Endpoints it can support for each Service: we increase this upper-bound from ~500 to 800, log a warning for Services with a number of Endpoints greater than 800, and arbitrarily drop some Endpoints so we can still provide load-balancing for the Service. (#2101, @hongliangl)
• Fix Antrea-native policy with multiple AppliedTo selectors: some rules were never realized by the Agents as they thought they had only received partial information from the Controller. (#2084, @tnqn)
• Fix re-installation of the OpenFlow groups when the OVS daemons are restarted to ensure that AntreaProxy keeps functioning. (#2134, @antoninbas)
• Fix the retry logic when enabling the OVS bridge local interface on Windows Nodes. (#2081, @antoninbas) [Windows]
• Fix audit logging on Windows Nodes: the log directory was not configured properly, causing Agent initialization to fail on Windows when the AntreaPolicy feature was enabled. (#2052, @antoninbas) [Windows]
• When selecting the Pods corresponding to a Service for which NodePortLocal has been enabled, Pods should be filtered by Namespace. (#1927, @chauhanshubham)
• Correctly handle Service Type changes for NodePortLocal, and update Pod annotations accordingly. (#1936, @chauhanshubham)
• Use correct output format for CNI Add in networkPolicyOnly mode: this was not an issue with Docker but was causing failures with containerd. (#2037, @antoninbas @dantingl)
• Fix audit logging of IPv6 traffic for Antrea-native policies: IPv6 packets were ignored by the Agent instead of being parsed and logged to file. (#1990, @antoninbas)
• Fix Status updates for ClusterNetworkPolicies. (#2036, @Dyanngg)

Fixed

• It was discovered that the AntreaProxy implementation has an upper-bound for the number of Endpoints it can support for each Service: we increase this upper-bound from ~500 to 800, log a warning for Services with a number of Endpoints greater than 800, and arbitrarily drop some Endpoints so we can still provide load-balancing for the Service. (#2101, @hongliangl)
• Fix Antrea-native policy with multiple AppliedTo selectors: some rules were never realized by the Agents as they thought they had only received partial information from the Controller. (#2084, @tnqn)
• Fix re-installation of the OpenFlow groups when the OVS daemons are restarted to ensure that AntreaProxy keeps functioning. (#2134, @antoninbas)
• Fix IPFIX flow records exported by the Antrea Agent. (#2089, @zyiou)
  • If a connection spanned multiple export cycles, it wasn't handled properly and no record was sent for the connection
  • If a connection spanned a single export cycle, a single record was sent but "delta counters" were set to 0 which caused flow visualization to omit the flow in dashboards
• Fix incorrect stats reporting for ingress rules of some NetworkPolicies: some types of traffic were bypassing the OVS table keeping track of statistics once the connection was established, causing packet and byte stats to be incorrect. (#2078, @ceclinux)
• Fix the retry logic when enabling the OVS bridge local interface on Windows Nodes. (#2081, @antoninbas) [Windows]

Includes all the changes from 0.13.1.

The AntreaPolicy feature is graduated from Alpha to Beta and is therefore enabled by default.

Added

• Add Egress feature to configure SNAT policies for Pod-to-external traffic. [Alpha - Feature Gate: Egress]
  • A new Egress CRD is introduced to define SNAT policies (#1433, @jianjuns)
  • Update the datapath to implement Egress: on Windows Nodes, everything is implemented in OVS, while on Linux Nodes, OVS marks packets and sends them to the host network namespace, where iptables handles SNAT (#1892 #1969 #1998, @jianjuns, @tnqn)
  • A new EgressGroup control plane API is introduced: the Controller computes group membership for each policy and sends this information to the Agents (#1965, @tnqn)
  • Implement the EgressGroup control plane API in the Agent (#2026, @tnqn @ceclinux)
  • Document the Egress feature and its datapath implementation (#2041 #2044, @jianjuns @tnqn)
• Add support for the "Reject" action in Antrea-native policies as an alternative to "Drop" (which silently drops packets). (#1888, @GraysonWu)
  • For rejected TCP connections, the Agent will send a TCP RST packet
  • For UDP and SCTP, the Agent will send an ICMP message with Type 3 (Destination Unreachable) and Code 10 (Host administratively prohibited)
• Add support for nesting in the ClusterGroup CRD: a ClusterGroup can now reference a list of ClusterGroups, but only one level of nesting is supported. (#1920, @Dyanngg)
• Add ability to specify multiple IPBlocks when defining a ClusterGroup. (#1993, @Dyanngg)
• Support for IPv6 (IPv6-only and dual-stack clusters) in the FlowAggregator and in the reference ELK stack. (#1819 #1962, @dreamtalen)
• Add support for arm/v7 and arm64 to the main Antrea Docker image for Linux (antrea/antrea-ubuntu) instead of using a separate image. (#1994, @antoninbas)
• Add support for live-traffic tracing in Traceflow: rather than injecting a Traceflow packet, we can monitor real traffic and update the Traceflow Status when a matching packet is observed. (#2005 #2029, @jianjuns)
  • The captured packet is reported as part of the Traceflow request Status
  • Live-traffic tracing supports a "Dropped-Only" filter which will only capture packets dropped by the datapath
• Introduce a new optional mutating webhook to automatically label all Namespaces and Services with their name (antrea.io/metadata.name: <resourceName>); this allows NetworkPolicies and ClusterGroup to easily select these resources by name. (#1690, @abhiraut @Dyanngg)
• Add support for rule-level statistics for Antrea-native policies, when the NetworkPolicyStats feature is enabled: rules are identified by their name, which can be user-provided or auto-generated. (#1780, @ceclinux)
• Add TCP connection state information to the IPFIX records sent by the FlowExporter, and improve handling of "dying" connections. (#1904, @zyiou)
• Add information about the flow type (intra-Node, inter-Node, Pod-to-external) to the IPFIX records sent by the FlowExporter. (#2000, @dreamtalen)
• Add support for dumping OVS flows related to a Service with the "antctl get of" command. (#1877, @jianjuns)
• Randomly generate a cluster UUID in the Antrea Controller and make it persistent by storing it to a ConfigMap ("antrea-cluster-identity"). (#1805, @antoninbas)
• Add support for IPv6 to "antctl traceflow". (#1995, @luolanzone)

Changed

• Rename all Antrea API groups from *.antrea.tanzu.vmware.com to *.antrea.io. (#1799, @hongliangl)
  • All legacy groups will be supported until December 2021
  • See the API documentation for more details and information on how to upgrade client applications which use the Antrea API (#2031, @antoninbas)
• Change the export mechanism for the FlowExporter in the Antrea Agent: instead of exporting all flows periodically with a fixed interval, we introduce an "active timeout" and an "idle timeout", and flow information is exported differently based on flow activity. (#1714, @srikartati)
• Add rate-limiting in the Agent for PacketIn messages sent by the OVS datapath: this can help limit the CPU usage when too many messages are sent by OVS. (#2015, @GraysonWu)
• Output partial result when a Traceflow request initiated by antctl fails or times out, as it can still provide useful information. (#1879, @jianjuns)
• Ensure that "antctl version" always outputs the client version, even when antctl cannot connect to the Antrea apiserver. (#1876, @antoninbas)
• Extract the group member calculation for the NetworkPolicy implementation in the Controller to its own module, so it can be reused for different features which need to calculate groups of endpoints based on a given selection criteria; p
  erformance (CPU and memory usage) is also improved. (#1937, @tnqn)
• Optimize the computation of unions of sets when processing NetworkPolicies in the Controller. (#1938, @tnqn)
• Optimize the computation of symmetric differences of sets in the Agent (NodePortLocal) and in the Controller (NetworkPolicy processing). (#1944, @tnqn)
• Move mutable ConfigMap resources out of the deployment YAML and create them programmatically instead; this facilitates integration with other projects such as kapp. (#1983, @hty690)
• Improve error logs when the Antrea Agent's connection to the Controller times out, and introduce a dedicated health check in the Agent to report the connection status. (#1946, @hty690)
• Support user-provided signed OVS binaries in Windows installation script. (#1963, @lzhecheng) [Windows]
• When NodePortLocal is enabled on a Pod, do not allocate new ports on the host for Pod containers with HostPort enabled. (#2024, @annakhm)
• Use "distroless" Docker image for the FlowAggregator to reduce its size. (#2004 #2016, @hanlins @dreamtalen)
• Improve reference Kibana dashboards for flow visualization and update the documentation for flow visualization with more up-to-date Kibana screenshots. (#1933, @zyiou)
• Reject unsupported positional arguments in antctl commands. (#2011, @hty690)
• Reduce log verbosity for PacketIn messages received by the Agent. (#2046, @jianjuns)
• Improve Windows documentation to cover running Antrea as a Windows service, which is required when using containerd as the container runtime. (#1874, @lzhecheng @jayunit100) [Windows]
• Update the documentation for hardware offload support. (#1943, @Mmduh-483)
• Document IPv6 support for Traceflow. (#1996, @gran-vmv)
• Remove old references to Ubuntu 18.04 from the documentation. (#1960, @shadowlan)

Fixed

• Fix audit logging on Windows Nodes: the log directory was not configured properly, causing Agent initialization to fail on Windows when the AntreaPolicy feature was enabled. (#2052, @antoninbas) [Windows]
• When selecting the Pods corresponding to a Service for which NodePortLocal has been enabled, Pods should be filtered by Namespace. (#1927, @chauhanshubham)
• Correctly handle Service Type changes for NodePortLocal, and update Pod annotations accordingly. (#1936, @chauhanshubham)
• Use correct output format for CNI Add in networkPolicyOnly mode: this was not an issue with Docker but was causing failures with containerd. (#2037, @antoninbas @dantingl)
• Fix audit logging of IPv6 traffic for Antrea-native policies: IPv6 packets were ignored by the Agent instead of being parsed and logged to file. (#1990, @antoninbas)
• Fix the Traceflow implementation when the destination IP is an external IP or the local gateway's IP. (#1884, @antoninbas)
• Fix a crash in the Agent when the FlowExporter initialization fails; instead of a crash it should try again the next time flow data needs to be exported. (#1959, @srikartati)
• Add missing flows in OVS for IPv6 Traceflow support preventing Traceflow packets from bypassing conntrack. (#2054, @jianjuns)
• Fix Status updates for ClusterNetworkPolicies. (#2036, @Dyanngg)