What's New

• Support for Fully Qualified Domain Names (FQDNs) in Antrea-Native Policies
• The AntreaPolicy feature, although enabled by default, is graduated from Alpha to Beta
• The NetworkPolicyStats feature is graduated from Alpha to Beta and is therefore enabled by default
• Added new ExternalIPPool API to define ranges of IP addresses which can be used as Egress SNAT IPs
• Improvements to NodePortLocal feature, which is is enabled by default
• Introduction of 'self' Namespace policies, which enable the selection of all peers within a Namespace when defining a policy, without having to define a different policy per Namespace
• noEncap and Hybrid traffic modes for clusters which include Windows nodes
• Support for "Reject" action of Antrea-native policies in the Traceflow observations
• Support for "endPort" field in K8s NetworkingPolicies
• Support for nesting in the ClusterGroup CRD: a ClusterGroup can now reference a list of ClusterGroups but only one level of nesting is supported
• antctl improvements with support for dumping OVS flows related to a Service
• Support for IPv6 to "antctl traceflow"
• APIs are being renamed from *.antrea.tanzu.vmware.com to *.antrea.io

Compatibility Testing Matrix

Change Logs 1.2.2- 2021-08-16

Includes all the changes from 1.1.

Includes all the changes from  1.0.

Added

• Antrea-native policy accepts a `fqdn` field in the `to` selector to filter Fully Qualified Domain Names (FQDNs) specified either by exact name or wildcard expressions, when defining `egress` rules. The standard `Allow`, `Drop` and `Reject` actions apply to FQDN egress rules.
• Add new ExternalIPPool API to define ranges of IP addresses which can be used as Egress SNAT IPs; these IPs are allocated to Nodes according to a nodeSelector, with support for failover if a Node goes down. (#2236 #2237 #2186 #2358 #2345 #2371, @tnqn @wenqiq) Refer to the Egress user documentation for more information.
• Use OpenFlow meters on Linux to rate-limit PacketIn messages sent by the OVS datapath to the Antrea Agent. (#2215, @GraysonWu @antoninbas)
• Add K8s labels for the source and destination Pods (when applicable) as IPFIX Information Elements when exporting flow records from the FlowAggregator. (#2240, @dreamtalen)
• Add ability to print Antrea Agent and / or Antrea Controller FeatureGates using antctl, with the "antctl get featuregates" command. (#2082, @luolanzone)
• Add support for running the same Traceflow request again (with the same parameters) from the Antrea Octant plugin. (#2202, @Dhruv-J)
• Add ability for the Antrea Agent to configure SR-IOV secondary network interfaces for Pods (these interfaces are not attached to the OVS bridge); however, there is currently no available API for users to request secondary Pod network interfaces. (#2151, @ramay1)
• Add a generic mechanism to define policy rules enforced on all the network endpoints belonging to the same Namespace as the target of the AppliedTo; this makes it very easy to define an Antrea CNP to only allow same-Namespace traffic (Namespace isolation) across all Namespaces in the cluster or a subset of them. (#1961, @Dyanngg)
• APIs are being renamed from *.antrea.tanzu.vmware.com to *.antrea.io. The old APIs are still supported but the recommendation is to use new APIs.

Changed

• When enabling NodePortLocal on a Service, use the Service's target ports instead of the (optional) container ports for the selected Pods to determine how to configure port forwarding for the Pods. (#2222, @monotosh-avi)
• Update version of the go-ipfix dependency to improve FlowExporter performance. (#2129, @zyiou)
• Remove deprecated API version networking.antrea.tanzu.vmware.com/v1beta1 as per our API deprecation policy. (#2265, @hangyan)
• Show translated source IP address in Traceflow observations when Antrea performs SNAT in OVS. (#2227, @luolanzone)
• Remove unnecessary IPFIX Information Elements from the flow records exported by the FlowAggregator: "originalExporterIPv4Address", "originalExporterIPv6Address" and "originalObservationDomainId". (#2361, @zyiou)
• Ignore non-TCP Service ports in the NodePortLocal implementation and document the restriction that only TCP is supported. (#2396, @antoninbas)
• Drop packets received by the uplink in PREROUTING (using iptables) when using the OVS userspace datapath (Kind clusters), to prevent these packets from being processed by the Node's TCP/IP stack. (#2143, @antoninbas)
• Improve documentation for Antrea-native policies to include information about the "namespaces" field introduced in Antrea v1.1 for the ClusterNetworkPolicy API. (#2271, @abhiraut)
• Improve the batch installation of NetworkPolicy rules when the Agent starts: only generate flow operations based on final desired state instead of incrementally. (#2479, @tnqn)
• Update go-ipfix to version v0.5.7 to improve overall performance of the FlowExporter feature, and in particular of the Flow Aggregator component. (#2574, @srikartati @zyiou)

Fixed

• Change default port range for NodePortLocal to 61000-62000, in order to avoid conflict with the default ip_local_port_range on Linux. (#2382, @antoninbas)
• Fix inter-Node ClusterIP Service access when AntreaProxy is disabled. (#2318, @tnqn), when both AntreaProxy and Egress features are enabled. (#2332, @tnqn)
• Fix panic in Agent when calculating the stats for a rule newly added to an existing NetworkPolicy. (#2495, @tnqn)
• Fix handling of the "reject" packets generated by the Antrea Agent in the OVS pipeline, to avoid infinite looping when traffic between two endpoints is rejected by network policies in both directions. (#2579, @GraysonWu)
• Fix interface naming for IPsec tunnels: based on Node names, the first char could sometimes be a dash, which is not valid. (#2486, @luolanzone) 

Known Issues

The known issues are grouped as follows.

Known Issues

Realization of Network Policies takes longer after upgrade to 1.3.0-1.2.2 with large number (10,000+) of Antrea-Network Policy Custom Resources.

When Antrea is upgraded to 1.3.0-1.2.2 from an older release (1.2.0-0.13.x or older), Antrea controller automatically mirrors Antrea Network Policy to new API group 'antrea.io'. So when a large number of ANP CRs are present, the Antrea Network policies are enforced slowly as the ANP CR is being mirrored to the new API. This is observed with more than 10,000+ ANPs.

Workaround: Manually mirror old API group to new API group before upgrade

1. Create the new CRDs of tiers.crd.antrea.io, networkpolicies.crd.antrea.io, clusternetworkpolicies.crd.antrea.io, clustergroups.crd.antrea.io. The CRDs can be fetched from the manifest yaml that you will use for upgrade.
2. Dump the resources of the deprecated CRDs (with *.antrea.tanzu.vmware.com suffix), create the same resources with new CRDs (with *.antrea.io suffix):

“
kubectl get tiers.security.antrea.tanzu.vmware.com -o yaml -A | sed "s/security.antrea.tanzu.vmware.com/crd.antrea.io/g" | kubectl apply -f -
kubectl get networkpolicies.security.antrea.tanzu.vmware.com -o yaml -A | sed "s/security.antrea.tanzu.vmware.com/crd.antrea.io/g" | kubectl apply -f -
kubectl get clusternetworkpolicies.security.antrea.tanzu.vmware.com -o yaml -A | sed "s/security.antrea.tanzu.vmware.com/crd.antrea.io/g" | kubectl apply -f -
kubectl get clustergroups.core.antrea.tanzu.vmware.com -o yaml -A | sed "s/core.antrea.tanzu.vmware.com/crd.antrea.io/g" | kubectl apply -f -

“
Note, if there are no resources for a CRD, the command will get an error output "error: no objects passed to apply", which can be ignored.

3. After all above resources were mirrored to the new CRDs, complete a normal upgrade.