--- # Source: antrea/crds/antreaagentinfo.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: antreaagentinfos.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true schema: openAPIV3Schema: type: object properties: version: type: string agentConditions: type: array items: type: object required: - type - status - lastHeartbeatTime properties: lastHeartbeatTime: type: string format: date-time type: type: string enum: ['AgentHealthy', 'ControllerConnectionUp', 'OVSDBConnectionUp', 'OpenflowConnectionUp'] status: type: string enum: ['True', 'False', 'Unknown'] reason: type: string message: type: string localPodNum: type: integer format: int32 nodePortLocalPortRange: type: string nodeSubnets: type: array items: type: string apiCABundle: type: string format: byte ovsInfo: type: object properties: version: type: string bridgeName: type: string flowTable: type: object additionalProperties: type: integer format: int32 networkPolicyControllerInfo: type: object properties: networkPolicyNum: type: integer format: int32 addressGroupNum: type: integer format: int32 appliedToGroupNum: type: integer format: int32 apiPort: type: integer minimum: 1 maximum: 65535 podRef: type: object properties: kind: type: string namespace: type: string name: type: string uid: type: string apiVersion: type: string resourceVersion: type: string fieldPath: type: string nodeRef: type: object properties: kind: type: string namespace: type: string name: type: string uid: type: string apiVersion: type: string resourceVersion: type: string fieldPath: type: string networkInfo: type: object properties: transportInterface: type: string transportInterfaceMTU: type: integer format: int32 minimum: 0 podMTU: type: integer format: int32 minimum: 0 transportInterfaceIPs: type: array items: type: string # At most one item for each IP family maxItems: 2 additionalPrinterColumns: - description: Health status of this Agent jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" name: Healthy type: string - description: Last time the Healthy Condition was updated jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" name: Last Heartbeat type: date - description: Version of this Agent jsonPath: ".version" name: Version type: string priority: 1 - description: Node on which this Agent is running jsonPath: ".nodeRef.name" name: Node type: string priority: 1 - description: Number of local Pods managed by this Agent jsonPath: ".localPodNum" name: Num Pods type: integer priority: 2 - description: Subnets used by this Agent for Pod IPAM jsonPath: ".nodeSubnets" name: Subnets type: string priority: 2 scope: Cluster names: plural: antreaagentinfos singular: antreaagentinfo kind: AntreaAgentInfo shortNames: - aai --- # Source: antrea/crds/antreacontrollerinfo.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: antreacontrollerinfos.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true schema: openAPIV3Schema: type: object properties: version: type: string controllerConditions: type: array items: type: object required: - type - status - lastHeartbeatTime properties: lastHeartbeatTime: type: string format: date-time status: type: string enum: ['True', 'False', 'Unknown'] type: type: string enum: ['ControllerHealthy'] reason: type: string message: type: string serviceRef: type: object properties: kind: type: string namespace: type: string name: type: string uid: type: string apiVersion: type: string resourceVersion: type: string fieldPath: type: string networkPolicyControllerInfo: type: object properties: networkPolicyNum: type: integer format: int32 addressGroupNum: type: integer format: int32 appliedToGroupNum: type: integer format: int32 apiPort: type: integer minimum: 1 maximum: 65535 connectedAgentNum: type: integer format: int32 podRef: type: object properties: kind: type: string namespace: type: string name: type: string uid: type: string apiVersion: type: string resourceVersion: type: string fieldPath: type: string nodeRef: type: object properties: kind: type: string namespace: type: string name: type: string uid: type: string apiVersion: type: string resourceVersion: type: string fieldPath: type: string additionalPrinterColumns: - description: Health status of the Controller jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" name: Healthy type: string - description: Last time the Healthy Condition was updated jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" name: Last Heartbeat type: date - description: Version of the Controller jsonPath: ".version" name: Version type: string priority: 1 - description: Number of Agents connected to the Controller jsonPath: ".connectedAgentNum" name: Connected Agents type: integer priority: 1 - description: Node on which the Controller is running jsonPath: ".nodeRef.name" name: Node type: string priority: 1 - description: Number of Network Policies computed by Controller jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" name: Num Network Policies type: integer priority: 2 scope: Cluster names: plural: antreacontrollerinfos singular: antreacontrollerinfo kind: AntreaControllerInfo shortNames: - aci --- # Source: antrea/crds/bgppolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: bgppolicies.crd.antrea.io spec: group: crd.antrea.io versions: - name: v1alpha1 served: true storage: true schema: openAPIV3Schema: type: object required: - spec properties: spec: type: object required: - nodeSelector - localASN properties: nodeSelector: type: object properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true localASN: type: integer format: int32 minimum: 1 maximum: 65535 listenPort: type: integer format: int32 minimum: 1 maximum: 65535 default: 179 confederation: type: object properties: identifier: type: integer format: int32 minimum: 1 maximum: 65535 memberASNs: type: array items: type: integer format: int32 minimum: 1 maximum: 65535 advertisements: type: object properties: service: type: object properties: ipTypes: type: array items: type: string enum: - ClusterIP - LoadBalancerIP - ExternalIP pod: type: object properties: {} egress: type: object properties: {} bgpPeers: type: array items: type: object required: - address - asn properties: address: type: string oneOf: - format: ipv4 - format: ipv6 port: type: integer format: int32 minimum: 1 maximum: 65535 default: 179 asn: type: integer format: int32 minimum: 1 maximum: 65535 multihopTTL: type: integer format: int32 minimum: 1 maximum: 255 default: 1 gracefulRestartTimeSeconds: type: integer format: int32 minimum: 1 maximum: 3600 default: 120 additionalPrinterColumns: - description: Local BGP AS number jsonPath: .spec.localASN name: Local ASN type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date scope: Cluster names: plural: bgppolicies singular: bgppolicy kind: BGPPolicy --- # Source: antrea/crds/clustergroup.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: clustergroups.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object properties: childGroups: type: array items: type: string podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object nodeSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object externalEntitySelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object ipBlocks: type: array items: type: object properties: cidr: type: string format: cidr except: type: array items: type: string format: cidr serviceReference: type: object properties: name: type: string namespace: type: string status: type: object properties: conditions: type: array items: type: object properties: type: type: string status: type: string lastTransitionTime: type: string subresources: status: { } scope: Cluster names: plural: clustergroups singular: clustergroup kind: ClusterGroup shortNames: - cg --- # Source: antrea/crds/clusternetworkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: clusternetworkpolicies.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true additionalPrinterColumns: - name: Tier type: string description: The Tier to which this ClusterNetworkPolicy belongs to. jsonPath: .spec.tier - name: Priority type: number format: float description: The Priority of this ClusterNetworkPolicy relative to other policies. jsonPath: .spec.priority - name: Desired Nodes type: number format: int32 description: The total number of Nodes that should realize the NetworkPolicy. jsonPath: .status.desiredNodesRealized - name: Current Nodes type: number format: int32 description: The number of Nodes that have realized the NetworkPolicy. jsonPath: .status.currentNodesRealized - name: Age type: date jsonPath: .metadata.creationTimestamp schema: openAPIV3Schema: type: object properties: spec: # Ensure that Spec.Priority field is set required: - priority type: object properties: tier: type: string priority: type: number format: float # Ensure that Spec.Priority field is between 1 and 10000 minimum: 1.0 maximum: 10000.0 appliedTo: type: array items: type: object # Ensure that Spec.AppliedTo does not allow IPBlock field properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object group: type: string serviceAccount: type: object properties: name: type: string namespace: type: string required: - name - namespace service: type: object properties: name: type: string namespace: type: string required: - name - namespace nodeSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object ingress: type: array items: type: object required: - action properties: appliedTo: type: array items: type: object # Ensure that rule AppliedTo does not allow IPBlock field properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object group: type: string serviceAccount: type: object properties: name: type: string namespace: type: string required: - name - namespace service: type: object properties: name: type: string namespace: type: string required: - name - namespace # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: type: object properties: protocol: type: string enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: type: integer sourcePort: type: integer sourceEndPort: type: integer protocols: type: array items: type: object oneOf: - required: [ icmp ] - required: [ igmp ] properties: icmp: type: object properties: icmpType: type: integer minimum: 0 maximum: 255 icmpCode: type: integer minimum: 0 maximum: 255 igmp: type: object properties: igmpType: type: integer # Only IGMP query (0x11) is valid igmpType in ingress rules. enum: [ 0x11 ] groupAddress: type: string oneOf: - format: ipv4 - format: ipv6 l7Protocols: type: array items: type: object oneOf: - required: [ http ] - required: [ tls ] properties: http: type: object properties: host: type: string method: type: string enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: type: object properties: sni: type: string from: type: array items: type: object properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaces: type: object maxProperties: 1 minProperties: 1 properties: match: type: string enum: - Self sameLabels: type: array items: type: string ipBlock: type: object properties: cidr: type: string format: cidr except: type: array items: type: string format: cidr group: type: string serviceAccount: type: object properties: name: type: string namespace: type: string required: - name - namespace nodeSelector: type: object properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: array type: object type: array matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object scope: type: string enum: [ 'Cluster', 'ClusterSet' ] name: type: string enableLogging: type: boolean logLabel: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" egress: type: array items: type: object required: - action properties: appliedTo: type: array items: type: object # Ensure that rule AppliedTo does not allow IPBlock field properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object group: type: string serviceAccount: type: object properties: name: type: string namespace: type: string required: - name - namespace # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: type: object properties: protocol: type: string enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: type: integer sourcePort: type: integer sourceEndPort: type: integer protocols: type: array items: type: object oneOf: - required: [ icmp ] - required: [ igmp ] properties: icmp: type: object properties: icmpType: type: integer minimum: 0 maximum: 255 icmpCode: type: integer minimum: 0 maximum: 255 igmp: type: object properties: igmpType: type: integer # Only IGMP reports are igmpType in egress rules, # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. # It will match all IGMP report types if igmpType is not set. enum: [ 0x12, 0x16, 0x22 ] groupAddress: type: string oneOf: - format: ipv4 - format: ipv6 l7Protocols: type: array items: type: object oneOf: - required: [ http ] - required: [ tls ] properties: http: type: object properties: host: type: string method: type: string enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: type: object properties: sni: type: string to: type: array items: type: object properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaces: type: object maxProperties: 1 minProperties: 1 properties: match: type: string enum: - Self sameLabels: type: array items: type: string ipBlock: type: object properties: cidr: type: string format: cidr except: type: array items: type: string format: cidr group: type: string fqdn: type: string serviceAccount: type: object properties: name: type: string namespace: type: string required: - name - namespace nodeSelector: type: object properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: array type: object type: array matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object toServices: type: array items: type: object required: - name - namespace properties: name: type: string namespace: type: string scope: type: string enum: [ 'Cluster', 'ClusterSet' ] name: type: string enableLogging: type: boolean logLabel: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" status: type: object properties: phase: type: string observedGeneration: type: integer currentNodesRealized: type: integer desiredNodesRealized: type: integer conditions: type: array items: type: object properties: type: type: string status: type: string lastTransitionTime: type: string reason: type: string message: type: string subresources: status: { } scope: Cluster names: plural: clusternetworkpolicies singular: clusternetworkpolicy kind: ClusterNetworkPolicy shortNames: - acnp --- # Source: antrea/crds/egress.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: egresses.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true schema: openAPIV3Schema: type: object required: - spec properties: spec: type: object required: - appliedTo oneOf: - anyOf: - required: - egressIP - required: - externalIPPool - anyOf: - required: - egressIPs - required: - externalIPPools properties: appliedTo: type: object properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: type: object additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: type: object additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" egressIP: type: string oneOf: - format: ipv4 - format: ipv6 egressIPs: type: array items: type: string oneOf: - maxLength: 0 - format: ipv4 - format: ipv6 externalIPPool: type: string externalIPPools: type: array items: type: string bandwidth: type: object required: - rate - burst properties: rate: type: string burst: type: string status: type: object properties: egressNode: type: string egressIP: type: string conditions: type: array items: type: object properties: type: type: string status: type: string lastTransitionTime: type: string reason: type: string message: type: string additionalPrinterColumns: - description: The effective SNAT IP address for the selected workloads. jsonPath: .status.egressIP name: EgressIP type: string - jsonPath: .metadata.creationTimestamp name: Age type: date - description: The Owner Node of egress IP jsonPath: .status.egressNode name: Node type: string subresources: status: {} scope: Cluster names: plural: egresses singular: egress kind: Egress shortNames: - eg --- # Source: antrea/crds/externalentity.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: externalentities.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1alpha2 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object properties: endpoints: type: array items: type: object properties: ip: type: string oneOf: - format: ipv4 - format: ipv6 name: type: string ports: type: array items: type: object properties: protocol: type: string enum: ['TCP', 'UDP', 'SCTP'] port: x-kubernetes-int-or-string: true name: type: string externalNode: type: string scope: Namespaced names: plural: externalentities singular: externalentity kind: ExternalEntity shortNames: - ee --- # Source: antrea/crds/externalippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: externalippools.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true schema: openAPIV3Schema: type: object required: - spec properties: spec: type: object required: - ipRanges - nodeSelector properties: ipRanges: type: array items: type: object oneOf: - required: - cidr - required: - start - end properties: cidr: type: string format: cidr start: type: string oneOf: - format: ipv4 - format: ipv6 end: type: string oneOf: - format: ipv4 - format: ipv6 subnetInfo: type: object required: - gateway - prefixLength properties: gateway: type: string oneOf: - format: ipv4 - format: ipv6 prefixLength: type: integer minimum: 1 maximum: 127 vlan: type: integer minimum: 0 maximum: 4094 nodeSelector: type: object properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: array type: object type: array matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object status: type: object properties: usage: type: object properties: total: type: integer used: type: integer additionalPrinterColumns: - description: The number of total IPs jsonPath: .status.usage.total name: Total type: integer - description: The number of allocated IPs jsonPath: .status.usage.used name: Used type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date subresources: status: { } scope: Cluster names: plural: externalippools singular: externalippool kind: ExternalIPPool shortNames: - eip --- # Source: antrea/crds/externalnode.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: externalnodes.crd.antrea.io spec: group: crd.antrea.io versions: - name: v1alpha1 schema: openAPIV3Schema: type: object required: - spec properties: spec: type: object required: - interfaces properties: interfaces: type: array minItems: 1 maxItems: 1 required: - ips items: type: object properties: ips: type: array minItems: 1 items: type: string oneOf: - format: ipv4 - format: ipv6 name: type: string served: true storage: true scope: Namespaced names: plural: externalnodes singular: externalnode kind: ExternalNode shortNames: - en --- # Source: antrea/crds/flowexporterdestination.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: flowexporterdestinations.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1alpha1 served: true storage: true additionalPrinterColumns: - name: Address:Port type: string description: Address of flow collector. jsonPath: .spec.address schema: openAPIV3Schema: type: object required: - spec properties: spec: type: object required: - address - protocol properties: address: type: string description: > The flow collector address including port as a string. Example: - flow-aggregator/flow-aggregator:14739 - 10.244.10.10:4739 pattern: ^.+:[0-9]+$ protocol: type: object description: > The protocol used to send flow details. Exactly one must be defined and non-nil. oneOf: - required: [ipfix] - required: [grpc] properties: ipfix: type: object description: Configuration for using IPFIX protocol. required: - transport properties: transport: type: string enum: - tcp - udp - tls grpc: type: object description: Configuration for using gRPC protocol. filter: type: object properties: protocols: type: array description: > Filter for only flows whose protocol which match this filter. The default is accept all protocols if unset or nil. Supported values are [tcp, udp, sctp]. items: type: string enum: - tcp - udp - sctp activeFlowExportTimeoutSeconds: type: integer format: int32 description: > Provide the active flow export timeout in seconds, which is the timeout after which a flow record is sent to the collector for active flows. Thus, for flows with a continuous stream of packets, a flow record will be exported to the collector once the elapsed time since the last export event is equal to the value of this timeout. minimum: 1 default: 5 idleFlowExportTimeoutSeconds: type: integer format: int32 description: > Provide the idle flow export timeout in seconds, which is the timeout after which a flow record is sent to the collector for idle flows. A flow is considered idle if no packet matching this flow has been observed since the last export event. minimum: 1 default: 15 tlsConfig: type: object required: - caConfigMap properties: minTLSVersion: type: string description: > minTLSVersion specifies which version of TLS the client should accept from the server. This defaults to VersionTLS12 if unspecified. enum: - VersionTLS12 - VersionTLS13 default: VersionTLS12 serverName: type: string description: > serverName is used to verify the hostname on the returned certificate. If specified it will be included in the client's handshake (SNI) to support virtual hosting unless it is an IP address. If this field is omitted, the hostname used for certificate verification will default to the provided server address (spec.address). minLength: 1 caConfigMap: type: object description: > Specify the location of the ConfigMap containing the CA certificate used to authenticate the collector service. The ConfigMap must store the certificate under the key 'ca.crt'. To ensure flow exporter will have access to this resource it must be granted the proper RBAC permissions. required: - namespace - name properties: namespace: type: string description: Namespace of the ConfigMap containing the CA certificate. minLength: 1 name: type: string description: Name of the ConfigMap containing the CA certificate. minLength: 1 clientSecret: type: object description: > Specify the location of the Secret containing the client certificate and private key for mTLS. The Secret must contain the keys 'tls.crt' and 'tls.key'. If omitted, client authentication will be disabled. To ensure flow exporter will have access to this resource it must be granted the proper RBAC permissions. required: - namespace - name properties: namespace: type: string description: Namespace of the Secret containing the client certificate/key. minLength: 1 name: type: string description: Name of the Secret containing the client certificate/key. minLength: 1 scope: Cluster names: plural: flowexporterdestinations singular: flowexporterdestination kind: FlowExporterDestination shortNames: - flowexporterdest --- # Source: antrea/crds/group.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: groups.crd.antrea.io spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object properties: childGroups: type: array items: type: string podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string matchLabels: x-kubernetes-preserve-unknown-fields: true namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string matchLabels: x-kubernetes-preserve-unknown-fields: true externalEntitySelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string matchLabels: x-kubernetes-preserve-unknown-fields: true ipBlocks: type: array items: type: object properties: cidr: type: string format: cidr except: type: array items: type: string format: cidr serviceReference: type: object properties: name: type: string namespace: type: string status: type: object properties: conditions: type: array items: type: object properties: type: type: string status: type: string lastTransitionTime: type: string subresources: status: { } scope: Namespaced names: plural: groups singular: group kind: Group shortNames: - grp --- # Source: antrea/crds/ippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: ippools.crd.antrea.io labels: app: antrea served-by: antrea-controller spec: group: crd.antrea.io versions: - name: v1alpha2 served: true storage: false deprecated: true deprecationWarning: "crd.antrea.io/v1alpha2 IPPool is deprecated; use crd.antrea.io/v1beta1 IPPool" schema: openAPIV3Schema: type: object required: - spec properties: spec: required: - ipVersion - ipRanges type: object properties: ipVersion: type: integer enum: [ 4, 6 ] ipRanges: items: oneOf: - required: - cidr - gateway - prefixLength - required: - start - end - gateway - prefixLength properties: cidr: format: cidr type: string start: oneOf: - format: ipv4 - format: ipv6 type: string end: oneOf: - format: ipv4 - format: ipv6 type: string gateway: oneOf: - format: ipv4 - format: ipv6 type: string prefixLength: type: integer minimum: 1 maximum: 128 vlan: type: integer minimum: 0 maximum: 4094 type: object type: array status: properties: ipAddresses: items: properties: ipAddress: type: string owner: properties: pod: properties: name: type: string namespace: type: string containerID: type: string ifName: type: string type: object statefulSet: properties: name: type: string namespace: type: string index: type: integer type: object type: object phase: type: string type: object type: array usage: properties: used: type: integer total: type: integer type: object type: object additionalPrinterColumns: - description: The number of total IPs jsonPath: .status.usage.total name: Total type: integer - description: The number of allocated IPs jsonPath: .status.usage.used name: Used type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date subresources: status: {} - name: v1beta1 served: true storage: true schema: openAPIV3Schema: type: object required: - spec properties: spec: required: - ipRanges - subnetInfo type: object properties: ipRanges: items: oneOf: - required: - cidr - required: - start - end properties: cidr: format: cidr type: string start: oneOf: - format: ipv4 - format: ipv6 type: string end: oneOf: - format: ipv4 - format: ipv6 type: string type: object type: array subnetInfo: type: object required: - gateway - prefixLength properties: gateway: type: string oneOf: - format: ipv4 - format: ipv6 x-kubernetes-validations: - message: gateway is immutable rule: self == oldSelf prefixLength: type: integer x-kubernetes-validations: - message: prefixLength is immutable rule: self == oldSelf minimum: 1 maximum: 127 vlan: type: integer minimum: 0 maximum: 4094 status: properties: ipAddresses: items: properties: ipAddress: type: string owner: properties: pod: properties: name: type: string namespace: type: string containerID: type: string ifName: type: string type: object statefulSet: properties: name: type: string namespace: type: string index: type: integer type: object type: object phase: type: string type: object type: array usage: properties: used: type: integer total: type: integer type: object type: object additionalPrinterColumns: - description: The number of total IPs jsonPath: .status.usage.total name: Total type: integer - description: The number of allocated IPs jsonPath: .status.usage.used name: Used type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date subresources: status: {} conversion: strategy: Webhook webhook: conversionReviewVersions: ["v1", "v1beta1"] clientConfig: service: name: "antrea" namespace: "kube-system" path: "/convert/ippool" scope: Cluster names: plural: ippools singular: ippool kind: IPPool shortNames: - ipp --- # Source: antrea/crds/networkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: networkpolicies.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true additionalPrinterColumns: - name: Tier type: string description: The Tier to which this Antrea NetworkPolicy belongs to. jsonPath: .spec.tier - name: Priority type: number format: float description: The Priority of this Antrea NetworkPolicy relative to other policies. jsonPath: .spec.priority - name: Desired Nodes type: number format: int32 description: The total number of Nodes that should realize the NetworkPolicy. jsonPath: .status.desiredNodesRealized - name: Current Nodes type: number format: int32 description: The number of Nodes that have realized the NetworkPolicy. jsonPath: .status.currentNodesRealized - name: Age type: date jsonPath: .metadata.creationTimestamp schema: openAPIV3Schema: type: object properties: spec: # Ensure that Spec.Priority field is set required: - priority type: object properties: tier: type: string priority: type: number format: float # Ensure that Spec.Priority field is between 1 and 10000 minimum: 1.0 maximum: 10000.0 appliedTo: type: array items: type: object # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field properties: externalEntitySelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object group: type: string ingress: type: array items: type: object required: - action properties: appliedTo: type: array items: type: object # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object group: type: string # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: type: object properties: protocol: type: string enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: type: integer sourcePort: type: integer sourceEndPort: type: integer protocols: type: array items: type: object oneOf: - required: [ icmp ] - required: [ igmp ] properties: icmp: type: object properties: icmpType: type: integer minimum: 0 maximum: 255 icmpCode: type: integer minimum: 0 maximum: 255 igmp: type: object properties: igmpType: type: integer # Only IGMP query (0x11) is valid igmpType in ingress rules. enum: [ 0x11 ] groupAddress: type: string oneOf: - format: ipv4 - format: ipv6 l7Protocols: type: array items: type: object oneOf: - required: [ http ] - required: [ tls ] properties: http: type: object properties: host: type: string method: type: string enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: type: object properties: sni: type: string from: type: array items: type: object properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object externalEntitySelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object ipBlock: type: object properties: cidr: type: string format: cidr except: type: array items: type: string format: cidr nodeSelector: type: object properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: array type: object type: array matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object group: type: string scope: type: string enum: [ 'Cluster', 'ClusterSet' ] name: type: string enableLogging: type: boolean logLabel: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" egress: type: array items: type: object required: - action properties: appliedTo: type: array items: type: object # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object group: type: string # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: type: object properties: protocol: type: string enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: type: integer sourcePort: type: integer sourceEndPort: type: integer protocols: type: array items: type: object oneOf: - required: [ icmp ] - required: [ igmp ] properties: icmp: type: object properties: icmpType: type: integer minimum: 0 maximum: 255 icmpCode: type: integer minimum: 0 maximum: 255 igmp: type: object properties: igmpType: type: integer # Only IGMP reports are igmpType in egress rules, # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. # It will match all IGMP report types if igmpType is not set. enum: [ 0x12, 0x16, 0x22 ] groupAddress: type: string oneOf: - format: ipv4 - format: ipv6 l7Protocols: type: array items: type: object oneOf: - required: [ http ] - required: [ tls ] properties: http: type: object properties: host: type: string method: type: string enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: type: object properties: sni: type: string to: type: array items: type: object properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object externalEntitySelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object ipBlock: type: object properties: cidr: type: string format: cidr except: type: array items: type: string format: cidr fqdn: type: string nodeSelector: type: object properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: array type: object type: array matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object group: type: string toServices: type: array items: type: object required: - name properties: name: type: string namespace: type: string scope: type: string name: type: string enableLogging: type: boolean logLabel: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" status: type: object properties: phase: type: string observedGeneration: type: integer currentNodesRealized: type: integer desiredNodesRealized: type: integer conditions: type: array items: type: object properties: type: type: string status: type: string lastTransitionTime: type: string reason: type: string message: type: string subresources: status: { } scope: Namespaced names: plural: networkpolicies singular: networkpolicy kind: NetworkPolicy shortNames: - annp # Deprecated shortName and shall be removed in Antrea v1.14.0 - anp --- # Source: antrea/crds/nodelatencymonitor.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: nodelatencymonitors.crd.antrea.io spec: group: crd.antrea.io versions: - name: v1alpha1 served: true storage: true schema: openAPIV3Schema: type: object required: - spec properties: spec: type: object required: - pingIntervalSeconds properties: pingIntervalSeconds: type: integer format: int32 minimum: 1 description: "Ping interval in seconds, must be at least 1." default: 60 metadata: type: object properties: name: type: string pattern: '^default$' additionalPrinterColumns: - description: Specifies the interval between pings. jsonPath: .spec.pingIntervalSeconds name: PingIntervalSeconds type: string - jsonPath: .metadata.creationTimestamp name: Age type: date scope: Cluster names: plural: nodelatencymonitors singular: nodelatencymonitor kind: NodeLatencyMonitor shortNames: - nlm --- # Source: antrea/crds/packetcapture.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: packetcaptures.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1alpha1 served: true storage: true additionalPrinterColumns: - jsonPath: .spec.source.pod description: The name of the source Pod. name: Source-Pod type: string priority: 10 - jsonPath: .spec.destination.pod description: The name of the destination Pod. name: Destination-Pod type: string priority: 10 - jsonPath: .spec.source.ip description: The IP address of the source. name: Source-IP type: string priority: 10 - jsonPath: .spec.destination.ip description: The IP address of the destination. name: Destination-IP type: string priority: 10 - jsonPath: .spec.timeout description: Timeout in seconds. name: Timeout type: integer priority: 10 - jsonPath: .metadata.creationTimestamp name: Age type: date - jsonPath: .status.numberCaptured description: Number of packets captured so far. name: Captured-Packets type: integer - jsonPath: .status.conditions[?(@.type=="PacketCaptureStarted")].status description: Whether the capture has been started. name: Started type: string - jsonPath: .status.conditions[?(@.type=="PacketCaptureComplete")].status description: Whether the capture has completed. name: Complete type: string - jsonPath: .status.conditions[?(@.type=="PacketCaptureFileUploaded")].status description: Whether the capture file has been uploaded to the file server. name: Uploaded type: string priority: 10 schema: openAPIV3Schema: type: object required: - spec properties: spec: type: object required: - captureConfig x-kubernetes-validations: - rule: "has(self.source.pod) || has(self.destination.pod)" message: "At least one of source.pod or destination.pod must be specified." - rule: "!(has(self.capturePoint) && self.capturePoint == 'Source') || has(self.source.pod)" message: "source.pod must be set when capturePoint is 'Source'" - rule: "!(has(self.capturePoint) && self.capturePoint == 'Destination') || has(self.destination.pod)" message: "destination.pod must be set when capturePoint is 'Destination'" properties: source: type: object x-kubernetes-validations: - rule: "!(has(self.pod) && has(self.ip))" message: "At most one of 'pod' or 'ip' may be set" properties: pod: type: object required: - name properties: namespace: type: string default: default name: type: string ip: type: string oneOf: - format: ipv4 - format: ipv6 destination: type: object x-kubernetes-validations: - rule: "!(has(self.pod) && has(self.ip))" message: "At most one of 'pod' or 'ip' may be set" properties: pod: type: object required: - name properties: namespace: type: string default: default name: type: string ip: type: string oneOf: - format: ipv4 - format: ipv6 packet: type: object properties: ipFamily: type: string enum: [IPv4, IPv6] default: IPv4 protocol: x-kubernetes-int-or-string: true transportHeader: type: object properties: udp: type: object properties: srcPort: type: integer minimum: 1 maximum: 65535 dstPort: type: integer minimum: 1 maximum: 65535 tcp: type: object properties: srcPort: type: integer minimum: 1 maximum: 65535 dstPort: type: integer minimum: 1 maximum: 65535 flags: type: array items: type: object required: - value properties: value: type: integer minimum: 0 maximum: 255 mask: type: integer minimum: 0 maximum: 255 icmp: type: object properties: messages: type: array items: type: object required: - type properties: type: x-kubernetes-int-or-string: true code: type: integer minimum: 0 maximum: 255 icmpv6: type: object properties: messages: type: array items: type: object required: - type properties: type: x-kubernetes-int-or-string: true code: type: integer minimum: 0 maximum: 255 x-kubernetes-validations: - rule: "(has(self.icmp) ? 1 : 0) + (has(self.icmpv6) ? 1 : 0) + (has(self.udp) ? 1 : 0) + (has(self.tcp) ? 1: 0) <= 1" message: "At most one of 'ICMP', 'ICMPv6', 'UDP', or 'TCP' may be set" direction: type: string enum: ["SourceToDestination", "DestinationToSource", "Both"] default: "SourceToDestination" capturePoint: type: string enum: ["Source", "Destination"] timeout: type: integer minimum: 1 maximum: 300 default: 60 captureConfig: type: object oneOf: - required: - firstN properties: firstN: type: object required: - number properties: number: type: integer format: int32 fileServer: type: object properties: url: type: string pattern: 'sftp:\/\/[\w-_./]+:\d+' hostPublicKey: type: string format: byte status: type: object properties: numberCaptured: type: integer filePath: type: string conditions: type: array items: type: object properties: type: type: string status: type: string lastTransitionTime: type: string reason: type: string message: type: string subresources: status: {} scope: Cluster names: plural: packetcaptures singular: packetcapture kind: PacketCapture shortNames: - pcap --- # Source: antrea/crds/supportbundlecollection.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: supportbundlecollections.crd.antrea.io spec: group: crd.antrea.io versions: - name: v1alpha1 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object required: - fileServer - authentication anyOf: - required: - nodes - required: - externalNodes properties: nodes: type: object properties: nodeNames: type: array items: type: string nodeSelector: type: object properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true externalNodes: type: object required: - namespace properties: namespace: type: string nodeNames: type: array items: type: string nodeSelector: type: object properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true expirationMinutes: type: integer default: 60 sinceTime: type: string format: duration fileServer: type: object properties: url: type: string hostPublicKey: type: string format: byte authentication: type: object properties: authType: type: string enum: ["BearerToken", "APIKey", "BasicAuthentication"] authSecret: type: object properties: name: type: string namespace: type: string status: type: object properties: collectedNodes: type: integer desiredNodes: type: integer conditions: type: array items: type: object properties: type: type: string status: type: string lastTransitionTime: type: string reason: type: string message: type: string subresources: status: {} scope: Cluster names: plural: supportbundlecollections singular: supportbundlecollection kind: SupportBundleCollection shortNames: - sbc --- # Source: antrea/crds/tier.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: tiers.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true additionalPrinterColumns: - name: Priority type: integer description: The Priority of this Tier relative to other Tiers. jsonPath: .spec.priority - name: Age type: date jsonPath: .metadata.creationTimestamp schema: openAPIV3Schema: type: object properties: spec: required: - priority type: object properties: priority: type: integer minimum: 0 maximum: 255 description: type: string scope: Cluster names: plural: tiers singular: tier kind: Tier shortNames: - tr --- # Source: antrea/crds/traceflow.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: traceflows.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true additionalPrinterColumns: - jsonPath: .status.phase description: The phase of the Traceflow. name: Phase type: string - jsonPath: .spec.source.pod description: The name of the source Pod. name: Source-Pod type: string priority: 10 - jsonPath: .spec.destination.pod description: The name of the destination Pod. name: Destination-Pod type: string priority: 10 - jsonPath: .spec.destination.ip description: The IP address of the destination. name: Destination-IP type: string priority: 10 - jsonPath: .spec.liveTraffic description: Trace live traffic. name: Live-Traffic type: boolean priority: 10 - jsonPath: .spec.droppedOnly description: Capture only the dropped packet. name: Dropped-Only type: boolean priority: 10 - jsonPath: .spec.timeout description: Timeout in seconds. name: Timeout type: integer priority: 10 - jsonPath: .metadata.creationTimestamp name: Age type: date schema: openAPIV3Schema: type: object required: - spec properties: spec: type: object properties: source: type: object properties: pod: type: string namespace: type: string ip: type: string oneOf: - format: ipv4 - format: ipv6 destination: type: object properties: pod: type: string service: type: string namespace: type: string ip: type: string oneOf: - format: ipv4 - format: ipv6 packet: type: object properties: ipHeader: type: object properties: protocol: type: integer minimum: 0 maximum: 255 ttl: type: integer minimum: 0 maximum: 255 flags: type: integer minimum: 0 maximum: 7 ipv6Header: type: object properties: nextHeader: type: integer minimum: 0 maximum: 65535 hopLimit: type: integer minimum: 0 maximum: 65535 transportHeader: type: object properties: icmp: type: object properties: id: type: integer minimum: 0 maximum: 65535 sequence: type: integer minimum: 0 maximum: 65535 udp: type: object properties: srcPort: type: integer minimum: 1 maximum: 65535 dstPort: type: integer minimum: 1 maximum: 65535 tcp: type: object properties: srcPort: type: integer minimum: 1 maximum: 65535 dstPort: type: integer minimum: 1 maximum: 65535 flags: type: integer minimum: 0 maximum: 255 liveTraffic: type: boolean droppedOnly: type: boolean timeout: type: integer minimum: 1 maximum: 300 status: type: object properties: reason: type: string dataplaneTag: type: integer phase: type: string startTime: type: string results: type: array items: type: object properties: node: type: string role: type: string timestamp: type: integer observations: type: array items: type: object properties: component: type: string componentInfo: type: string action: type: string pod: type: string dstMAC: type: string networkPolicy: type: string networkPolicyRule: type: string ttl: type: integer minimum: 0 maximum: 255 translatedSrcIP: type: string translatedDstIP: type: string tunnelDstIP: type: string egressIP: type: string egress: type: string egressNode: type: string srcPodIP: type: string capturedPacket: properties: srcIP: type: string dstIP: type: string length: type: integer minimum: 0 maximum: 65535 ipHeader: properties: flags: type: integer minimum: 0 maximum: 7 protocol: type: integer minimum: 0 maximum: 255 ttl: type: integer minimum: 0 maximum: 255 type: object ipv6Header: properties: hopLimit: type: integer minimum: 0 maximum: 65535 nextHeader: type: integer minimum: 0 maximum: 65535 type: object transportHeader: properties: tcp: properties: dstPort: type: integer minimum: 1 maximum: 65535 srcPort: type: integer minimum: 1 maximum: 65535 flags: type: integer minimum: 0 maximum: 255 type: object udp: properties: dstPort: type: integer minimum: 1 maximum: 65535 srcPort: type: integer minimum: 1 maximum: 65535 type: object icmp: properties: id: type: integer minimum: 0 maximum: 65535 sequence: type: integer minimum: 0 maximum: 65535 type: object type: object type: object subresources: status: {} scope: Cluster names: plural: traceflows singular: traceflow kind: Traceflow shortNames: - tf --- # Source: antrea/crds/trafficcontrol.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: trafficcontrols.crd.antrea.io spec: group: crd.antrea.io versions: - name: v1alpha2 served: true storage: true schema: openAPIV3Schema: type: object required: - spec properties: spec: type: object required: - appliedTo - direction - action - targetPort properties: appliedTo: type: object properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: x-kubernetes-preserve-unknown-fields: true namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: x-kubernetes-preserve-unknown-fields: true direction: type: string enum: - Ingress - Egress - Both action: type: string enum: - Mirror - Redirect targetPort: type: object oneOf: - required: [ovsInternal] - required: [device] - required: [geneve] - required: [vxlan] - required: [gre] - required: [erspan] properties: ovsInternal: type: object required: - name properties: name: type: string device: type: object required: - name properties: name: type: string geneve: type: object required: - remoteIP properties: remoteIP: type: string oneOf: - format: ipv4 - format: ipv6 vni: type: integer minimum: 0 maximum: 16777215 destinationPort: type: integer minimum: 1 maximum: 65535 vxlan: type: object required: - remoteIP properties: remoteIP: type: string oneOf: - format: ipv4 - format: ipv6 vni: type: integer minimum: 0 maximum: 16777215 destinationPort: type: integer minimum: 1 maximum: 65535 gre: type: object required: - remoteIP properties: remoteIP: type: string oneOf: - format: ipv4 - format: ipv6 key: type: integer minimum: 0 maximum: 4294967295 erspan: type: object required: - remoteIP - version properties: remoteIP: type: string oneOf: - format: ipv4 - format: ipv6 sessionID: type: integer minimum: 0 maximum: 1023 version: type: integer enum: - 1 - 2 index: type: integer dir: type: integer enum: - 0 - 1 hardwareID: type: integer returnPort: type: object oneOf: - required: [ovsInternal] - required: [device] - required: [geneve] - required: [vxlan] - required: [gre] properties: ovsInternal: type: object required: - name properties: name: type: string device: type: object required: - name properties: name: type: string geneve: type: object required: - remoteIP properties: remoteIP: type: string oneOf: - format: ipv4 - format: ipv6 vni: type: integer minimum: 0 maximum: 16777215 destinationPort: type: integer minimum: 1 maximum: 65535 vxlan: type: object required: - remoteIP properties: remoteIP: type: string oneOf: - format: ipv4 - format: ipv6 vni: type: integer minimum: 0 maximum: 16777215 destinationPort: type: integer minimum: 1 maximum: 65535 gre: type: object required: - remoteIP properties: remoteIP: type: string oneOf: - format: ipv4 - format: ipv6 key: type: integer minimum: 0 maximum: 4294967295 additionalPrinterColumns: - description: Specifies the direction of traffic that should be matched. jsonPath: .spec.direction name: Direction type: string - description: Specifies the action that should be taken for the traffic. jsonPath: .spec.action name: Action type: string - jsonPath: .metadata.creationTimestamp name: Age type: date subresources: status: {} scope: Cluster names: plural: trafficcontrols singular: trafficcontrol kind: TrafficControl shortNames: - tc --- # Source: antrea/templates/agent/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: antrea-agent namespace: kube-system labels: app: antrea --- # Source: antrea/templates/antctl/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: antctl namespace: kube-system labels: app: antrea --- # Source: antrea/templates/controller/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: antrea-controller namespace: kube-system labels: app: antrea --- # Source: antrea/templates/agent/secret.yaml apiVersion: v1 kind: Secret metadata: name: antrea-agent-service-account-token namespace: kube-system annotations: kubernetes.io/service-account.name: antrea-agent type: kubernetes.io/service-account-token --- # Source: antrea/templates/antctl/secret.yaml apiVersion: v1 kind: Secret metadata: name: antctl-service-account-token namespace: kube-system annotations: kubernetes.io/service-account.name: antctl type: kubernetes.io/service-account-token --- # Source: antrea/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: antrea-config namespace: kube-system labels: app: antrea data: antrea-agent.conf: | # FeatureGates is a map of feature names to bools that enable or disable experimental features. featureGates: # AllAlpha is a global toggle for alpha features. Per-feature key values override the default set by AllAlpha. # AllAlpha: false # AllBeta is a global toggle for beta features. Per-feature key values override the default set by AllBeta. # AllBeta: false # Enable PreferSameTrafficDistribution so that AntreaProxy can honor the Service's trafficDistribution settings # (PreferSameZone / PreferSameNode) when selecting backend Pods. # PreferSameTrafficDistribution: false # Enable support for cleaning up stale UDP Service conntrack connections in AntreaProxy. This requires AntreaProxy to # be enabled, otherwise this flag will not take effect. # CleanupStaleUDPSvcConntrack: true # Enable Traceflow which provides packet tracing feature to diagnose network issue. # Traceflow: true # Enable PacketCapture feature which supports capturing packets to diagnose network issues. # PacketCapture: false # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy # feature that supports priorities, rule actions and externalEntities in the future. # AntreaPolicy: true # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each # agent to a configured collector. # FlowExporter: false # Enable collecting and exposing NetworkPolicy statistics. # NetworkPolicyStats: true # Enable controlling SNAT IPs of Pod egress traffic. # Egress: true # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for # IPAM when configuring secondary network interfaces with Multus. # AntreaIPAM: false # Enable multicast traffic. # Multicast: true # Enable Antrea Multi-cluster features. # Multicluster: false # Enable support for provisioning secondary network interfaces for Pods (using # Pod annotations). At the moment, Antrea can create secondary network # interfaces either using SR-IOV VFs on bare-metal Nodes or veth interfaces # bridged to the underlay network, with or without VLAN tagging. # SecondaryNetwork: false # Enable managing external IPs of Services of LoadBalancer type. # ServiceExternalIP: true # Enable mirroring or redirecting the traffic Pods send or receive. # TrafficControl: false # Enable certificate-based authentication for IPSec tunnel. # IPsecCertAuth: false # Enable collecting support bundle files with SupportBundleCollection CRD. # SupportBundleCollection: false # Enable users to protect their applications by specifying how they are allowed to communicate with others, taking # into account application context. # L7NetworkPolicy: false # Allow users to specify the load balancer mode as DSR (Direct Server Return). # LoadBalancerModeDSR: false # Enable Egress traffic shaping. # EgressTrafficShaping: false # Allow users to allocate Egress IPs from a different subnet from the default Node subnet. # EgressSeparateSubnet: true # Allow users to apply ClusterNetworkPolicy to Kubernetes Nodes. # NodeNetworkPolicy: false # Enable NodeLatencyMonitor to monitor the latency between Nodes. # NodeLatencyMonitor: false # Allow users to initiate BGP process on selected Kubernetes Nodes and advertise Service IPs, Pod IPs and Egress IPs to # remote BGP peers. # BGPPolicy: false # Enable Antrea to use nftables instead of iptables to enforce netfilter rules in the Node's host network for the # functionalities and features that rely on netfilter. Currently, nftables support is limited to the following features: # - AntreaProxy (proxyAll) # NFTablesHostNetworkMode: false # Name of the OpenVSwitch bridge antrea-agent will create and use. # Make sure it doesn't conflict with your existing OpenVSwitch bridges. ovsBridge: "br-int" # Datapath type to use for the OpenVSwitch bridge created by Antrea. At the moment, the only # supported value is 'system', which corresponds to the kernel datapath. #ovsDatapathType: system # Name of the interface antrea-agent will create and use for host <--> pod communication. # Make sure it doesn't conflict with your existing interfaces. hostGateway: "antrea-gw0" # Determines how traffic is encapsulated. It has the following options: # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network # traffic is SNAT'd. # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is # SNAT'd if noSNAT is not set to true. Underlying network must be capable of # supporting Pod traffic across IP subnets. # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod # IPAM and connectivity to the primary CNI. # trafficEncapMode: "encap" # The aggregated cluster-wide Pod CIDRs (not the per-Node Pod CIDRs). # This field is applicable only in networkPolicyOnly mode and ignored in other traffic modes. It can be left empty, # but it is recommended to specify the correct Pod CIDRs string, as Traceflow may not work correctly for inter-Node # Pod-to-Pod traffic otherwise. # Example: "10.10.0.0/16" for IPv4-only, or "10.10.0.0/16,fd00::/12" for dual-stack. podCIDRs: "" # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never # performs SNAT and this option will be ignored; for other modes it must be set to false. noSNAT: false # Fully randomize source port mapping in SNAT rules used for egress traffic from Pods to the # external network. snatFullyRandomPorts: false # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, # this option will not take effect. Supported values: # - geneve (default) # - vxlan # - gre # - stt # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). tunnelType: "geneve" # TunnelPort is the destination port for UDP and TCP based tunnel protocols (Geneve, VXLAN, and STT). # If zero, it will use the assigned IANA port for the protocol, i.e. 6081 for Geneve, 4789 for VXLAN, # and 7471 for STT. tunnelPort: 0 # TunnelCsum determines whether to compute UDP encapsulation header (Geneve or VXLAN) checksums on outgoing # packets. For Linux kernel before Mar 2021, UDP checksum must be present to trigger GRO on the receiver for better # performance of Geneve and VXLAN tunnels. The issue has been fixed by # https://github.com/torvalds/linux/commit/89e5c58fc1e2857ccdaae506fb8bc5fed57ee063, thus computing UDP checksum is # no longer necessary. # It should only be set to true when you are using an unpatched Linux kernel and observing poor transfer performance. tunnelCsum: false # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. # It has the following options: # - none (default): Inter-node Pod traffic will not be encrypted. # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, # the PSK value must be passed to Antrea Agent through an environment # variable: ANTREA_IPSEC_PSK. # - wireGuard: Enable WireGuard for tunnel traffic encryption. trafficEncryptionMode: "none" # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the # underlay network. # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. enableBridgingMode: false # Disable TX checksum offloading for container network interfaces and the host gateway interface (default: # antrea-gw0). It's supposed to be set to true when the datapath doesn't support TX checksum offloading, # which causes packets to be dropped due to bad checksum. # If this option is later set to false, Antrea does nothing to the affected container network interfaces # and the host gateway interface. # This option affects Linux Nodes only. disableTXChecksumOffload: false # Default MTU to use for the host gateway interface and the network interface of each Pod. # If omitted, antrea-agent will discover the MTU of the Node's primary interface and # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). # If the MTU is updated, the new value will only be applied to new workloads. defaultMTU: 0 # packetInRate defines the OVS controller packet rate limits for different # features. All features will apply this rate-limit individually on packet-in # messages sent to antrea-agent. The number stands for the rate as packets per # second(pps) and the burst size will be automatically set to twice the rate. # When the rate and burst size are exceeded, new packets will be dropped. packetInRate: 5000 # wireGuard specifies WireGuard related configurations. wireGuard: # The port for WireGuard to receive traffic. port: 51820 egress: # exceptCIDRs is a list of CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses, e.g. # ["192.168.0.0/16", "172.16.0.0/12"]. exceptCIDRs: # The maximum number of Egress IPs that can be assigned to a Node. It's useful when the Node network restricts # the number of secondary IPs a Node can have, e.g. EKS. It must not be greater than 255. maxEgressIPsPerNode: 255 # Fully randomize source port mapping in Egress SNAT rules. This has no impact on the default SNAT # rules enforced by each Node for local Pod traffic. By default, we use the same value as for the # top-level snatFullyRandomPorts configuration, but this field can be used as an override. snatFullyRandomPorts: # Enable Egress VLAN sub-interfaces to use unique MAC addresses instead of # inheriting the parent interface’s MAC. Useful in cloud environments that require # unique MAC addresses per interface. uniqueMACForSubInterfaces: true # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. serviceCIDR: "" # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. # No default value for this field. serviceCIDRv6: "" # The port for the antrea-agent APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-agent` container must be set to the same value. apiPort: 10350 # clusterPort is the server port used by the antrea-agent to run a gossip-based cluster # membership protocol. Currently it's used only when the Egress feature is enabled. # Defaults to 10351. clusterPort: 10351 # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. enablePrometheusMetrics: true flowExporter: # Enable FlowExporter, a feature used to export polled conntrack connections as # IPFIX flow records from each agent to a configured collector. To enable this # feature, you need to set "enable" to true, and ensure that the FlowExporter # feature gate is also enabled. enable: false # Provide the IPFIX collector address as a string with format :[][:]. # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be # wrapped with []. When the collector is running in-cluster as a Service, set # to /. For example, # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea # Flow Aggregator Service. # If PORT is empty, we default to 4739. If no PROTO is given, we consider "tls" as default. # We support "grpc", "tls", "tcp" and "udp" protocols. "tls" is used for securing # communication between flow exporter and flow aggregator. When "grpc" is configured, # mTLS will always be used. flowCollectorAddr: "flow-aggregator/flow-aggregator:14739:grpc" # Provide flow poll interval as a duration string. This determines how often the # flow exporter dumps connections from the conntrack module. Flow poll interval # should be greater than or equal to 1s (one second). # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". flowPollInterval: "5s" # Provide the active flow export timeout, which is the timeout after which a flow # record is sent to the collector for active flows. Thus, for flows with a continuous # stream of packets, a flow record will be exported to the collector once the elapsed # time since the last export event is equal to the value of this timeout. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". activeFlowExportTimeout: "5s" # Provide the idle flow export timeout, which is the timeout after which a flow # record is sent to the collector for idle flows. A flow is considered idle if no # packet matching this flow has been observed since the last export event. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". idleFlowExportTimeout: "15s" # Provide the set of protocols to filter specific flows that will be # exported. Invalid protocols do not error and instead warnings are # logged on the antrea agent. By default the full set of supported # protocols are exported which are: # "tcp", "udp", "sctp" protocolFilter: nodePortLocal: # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To # enable this feature, you need to set "enable" to true. enable: false # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port # from that range will be assigned whenever a Pod's container defines a specific port to be exposed # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic # directed to that port will be forwarded to the Pod. portRange: "61000-62000" # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or # InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy). # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. kubeAPIServerOverride: "" # Provide the address of DNS server, to override the kube-dns Service. It's used to resolve # hostnames in a FQDN policy. # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, # 10.96.0.10:53, [fd00:10:96::a]:53). dnsServerOverride: "" # fqdnCacheMinTTL helps address the issue of applications caching DNS response IPs beyond the TTL value # for the DNS record. It is used to enforce FQDN policy rules, ensuring that resolved IPs are included # in datapath rules for as long as the application caches them. Ideally, this value should be set to # the maximum caching duration across all applications. fqdnCacheMinTTL: 0 # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. tlsCipherSuites: "" # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. tlsMinVersion: "" # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. # If there are multiple IP addresses configured on the interface, the first one is used. The IP # address used for tunneling or routing traffic to remote Nodes is decided in the following order of # preference (from highest to lowest): # 1. transportInterface # 2. transportInterfaceCIDRs # 3. The Node IP transportInterface: "" multicast: # To enable Multicast, you need to set "enable" to true, and ensure that the # Multicast feature gate is also enabled (which is the default). enable: false # The names of the interfaces on Nodes that are used to forward multicast traffic. # Defaults to transport interface if not set. multicastInterfaces: # The versions of IGMP queries antrea-agent sends to Pods. # Valid versions are 1, 2 and 3. igmpQueryVersions: - 1 - 2 - 3 # The interval at which the antrea-agent sends IGMP queries to Pods. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". igmpQueryInterval: "125s" # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of # preference (from highest to lowest): # 1. transportInterface # 2. transportInterfaceCIDRs # 3. The Node IP transportInterfaceCIDRs: # Option antreaProxy contains AntreaProxy related configuration options. antreaProxy: # To disable AntreaProxy, set this to false. enable: true # proxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, # regardless of where they come from. Therefore, running kube-proxy is no longer required. # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access # apiserver directly. proxyAll: false # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. # Note that the option is only valid when proxyAll is true. nodePortAddresses: # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name # with Namespace (e.g. kube-system/kube-dns) skipServices: # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when proxyAll is set to true and # kube-proxy is removed from the cluster, otherwise kube-proxy will still load-balance this traffic. proxyLoadBalancerIPs: true # The value of the "service.kubernetes.io/service-proxy-name" label for AntreaProxy to match. If it is set, # then AntreaProxy will only handle Services with the label that equals the provided value. If it is not set, # then AntreaProxy will only handle Services without the "service.kubernetes.io/service-proxy-name" label, # but ignore Services with the label no matter what is the value. serviceProxyName: "" # Determines how external traffic is processed when it's load balanced across Nodes by default. # It has the following options: # - nat (default): External traffic is SNAT'd when it's load balanced across Nodes to ensure symmetric path. # - dsr: External traffic is never SNAT'd. Backend Pods running on Nodes that are not the ingress Node # can reply to clients directly, bypassing the ingress Node. # A Service's load balancer mode can be overridden by annotating it with `service.antrea.io/load-balancer-mode`. defaultLoadBalancerMode: "nat" # Disables the health check server run by Antrea Proxy, which provides health information about # Services of type LoadBalancer with externalTrafficPolicy set to Local, when proxyAll is # enabled. This avoids race conditions between kube-proxy and Antrea Proxy, with both trying to # bind to the same address, when proxyAll is enabled while kube-proxy has not been removed. disableServiceHealthCheckServer: false # The value of the IP address and the port on which AntreaProxy health server listens when proxyAll is enabled. This # server is functionally equivalent to the one of kube-proxy. If it is not specified, it will be automatically set # to "0.0.0.0:10256". serviceHealthCheckServerBindAddress: "" # IPsec tunnel related configurations. ipsec: # The authentication mode of IPsec tunnel. It has the following options: # - psk (default): Use pre-shared key (PSK) for IKE authentication. # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` # feature gate to be enabled. authenticationMode: "psk" multicluster: # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. # This feature is supported only with encap mode. enableGateway: false # The Namespace where Antrea Multi-cluster Controller is running. # The default is antrea-agent's Namespace. namespace: "" # Enable Multi-cluster NetworkPolicy (ingress rules). # Multi-cluster Gateway must be enabled to enable StretchedNetworkPolicy. enableStretchedNetworkPolicy: false # Enable Pod to Pod connectivity. enablePodToPodConnectivity: false # Determines how cross-cluster traffic is encrypted. # It has the following options: # - none (default): Cross-cluster traffic will not be encrypted. # - wireGuard: Use WireGuard to encrypt traffic. trafficEncryptionMode: "none" # WireGuard tunnel configuration for cross-cluster traffic. # It only works when multicluster.trafficEncryptionMode is wireGuard. wireGuard: # WireGuard tunnel port for cross-cluster traffic. port: 51821 # Log rotation configuration for audit logs. auditLogging: # MaxSize is the maximum size in MB of a log file before it gets rotated. maxSize: 500 # MaxBackups is the maximum number of old log files to retain. If set to 0, # all log files will be retained (unless MaxAge causes them to be deleted). maxBackups: 3 # MaxAge is the maximum number of days to retain old log files based on the # timestamp encoded in their filename. If set to 0, old log files are not # removed based on age. maxAge: 28 # Compress enables gzip compression on rotated files. compress: true # SecondaryNetwork related configurations. secondaryNetwork: # Configuration of OVS bridges for secondary network. At the moment, at # most one OVS bridge can be specified. If the specified bridge does not exist # on the Node, antrea-agent will create it based on the configuration. # The following configuration specifies an OVS bridge with name "br1" and a # physical interface "eth1": # [{bridgeName: "br1", physicalInterfaces: ["eth1"], enableMulticastSnooping: false}] ovsBridges: hostNetworkAcceleration: # Enable to accelerate Pod-to-Pod traffic in the Node's host network using nftables flowtable when traffic mode is # noEncap or hybrid. enable: true # HostNetworkMode determines how antrea-agent implements Node host network netfilter rules required by Antrea # functionalities and features, using either "iptables" or "nftables". The default value is "iptables". If "nftables" # is specified, the NFTablesHostNetworkMode feature gate must be enabled; otherwise, antrea-agent will fail to start. # If the above condition is met but nftables is not supported or unavailable on the Node, antrea-agent will also fail # to start. Currently, nftables support is limited to the following features: # - AntreaProxy (proxyAll) hostNetworkMode: "iptables" antrea-cni.conflist: | { "cniVersion":"0.3.0", "name": "antrea", "plugins": [ { "type": "antrea", "ipam": { "type": "host-local" } } , { "type": "portmap", "capabilities": {"portMappings": true} } , { "type": "bandwidth", "capabilities": {"bandwidth": true} } ] } antrea-controller.conf: | # FeatureGates is a map of feature names to bools that enable or disable experimental features. featureGates: # AllAlpha is a global toggle for alpha features. Per-feature key values override the default set by AllAlpha. # AllAlpha: false # AllBeta is a global toggle for beta features. Per-feature key values override the default set by AllBeta. # AllBeta: false # Enable traceflow which provides packet tracing feature to diagnose network issue. # Traceflow: true # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy # feature that supports priorities, ExternalEntities, FQDN rules and more. # AntreaPolicy: true # Enable collecting and exposing NetworkPolicy statistics. # NetworkPolicyStats: true # Enable multicast traffic. # Multicast: true # Enable controlling SNAT IPs of Pod egress traffic. # Egress: true # Run Kubernetes NodeIPAMController with Antrea. # NodeIPAM: true # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for # IPAM when configuring secondary network interfaces with Multus. # AntreaIPAM: false # Enable managing external IPs of Services of LoadBalancer type. # ServiceExternalIP: true # Enable certificate-based authentication for IPSec tunnel. # IPsecCertAuth: false # Enable managing ExternalNode for unmanaged VM/BM. # ExternalNode: false # Enable collecting support bundle files with SupportBundleCollection CRD. # SupportBundleCollection: false # Enable Antrea Multi-cluster features. # Multicluster: false # Enable users to protect their applications by specifying how they are allowed to communicate with others, taking # into account application context. # L7NetworkPolicy: false # Enable the use of Network Policy APIs (https://network-policy-api.sigs.k8s.io/api-overview) which helps administrators # set security postures for their clusters. # AdminNetworkPolicy: false # The port for the antrea-controller APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-controller` container must be set to the same value. apiPort: 10349 # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. enablePrometheusMetrics: true # Indicates whether to use auto-generated self-signed TLS certificate. # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: # ca.crt: # tls.crt: # tls.key: selfSignedCert: true # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. tlsCipherSuites: "" # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. tlsMinVersion: "" # File path of the certificate bundle for all the signers that is recognized for incoming client # certificates. clientCAFile: "" # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. # It is typically used when kube-proxy is not deployed (replaced by AntreaProxy) and kube-controller-manager # does not run NodeIPAMController (replaced by Antrea NodeIPAM). # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. kubeAPIServerOverride: "" nodeIPAM: # Enable the integrated Node IPAM controller within the Antrea controller. enableNodeIPAM: false # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. # Value ignored when enableNodeIPAM is false. clusterCIDRs: # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. # Value ignored when enableNodeIPAM is false. serviceCIDR: "" serviceCIDRv6: "" # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. nodeCIDRMaskSizeIPv4: 24 # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. nodeCIDRMaskSizeIPv6: 64 ipsecCSRSigner: # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, # the Pod identity will also be validated to provide maximum security. # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved # manually by `kubectl certificate approve`. autoApprove: true # Indicates whether to use auto-generated self-signed CA certificate. # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: # tls.crt: # tls.key: selfSignedCA: true multicluster: # Enable Multi-cluster NetworkPolicy. enableStretchedNetworkPolicy: false --- # Source: antrea/templates/agent/clusterrole.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: antrea-agent labels: app: antrea rules: - apiGroups: - stats.antrea.io resources: - nodelatencystats verbs: - create - apiGroups: - "" resources: - nodes verbs: - get - watch - list - apiGroups: - "" resources: - nodes/status verbs: - patch - apiGroups: - "" resources: - pods verbs: - get - watch - list - apiGroups: - "" resources: - pods/status verbs: - patch - update - apiGroups: - "" resources: - endpoints - services - namespaces verbs: - get - watch - list - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - get - watch - list - apiGroups: - crd.antrea.io resources: - antreaagentinfos verbs: - get - update - apiGroups: - controlplane.antrea.io resources: - networkpolicies - appliedtogroups - addressgroups verbs: - get - watch - list - apiGroups: - controlplane.antrea.io resources: - egressgroups verbs: - get - watch - list - apiGroups: - controlplane.antrea.io resources: - nodestatssummaries verbs: - create - apiGroups: - controlplane.antrea.io resources: - networkpolicies/status verbs: - create - get - apiGroups: - controlplane.antrea.io resources: - supportbundlecollections verbs: - get - watch - list - apiGroups: - controlplane.antrea.io resources: - supportbundlecollections/status verbs: - create - apiGroups: - authentication.k8s.io resources: - tokenreviews verbs: - create - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create # This is the content of built-in role kube-system/extension-apiserver-authentication-reader. # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will # have permission issue after bumping up apiserver library to a version that supports dynamic authentication. # See https://github.com/kubernetes/kubernetes/pull/85375 # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on # the extension-apiserver-authentication role. - apiGroups: - "" resourceNames: - extension-apiserver-authentication resources: - configmaps verbs: - get - list - watch - apiGroups: - "" resources: - configmaps resourceNames: - antrea-ca verbs: - get - watch - list - apiGroups: - crd.antrea.io resources: - traceflows - traceflows/status verbs: - get - watch - list - update - patch - create - delete - apiGroups: - crd.antrea.io resources: - packetcaptures verbs: - get - watch - list - apiGroups: - crd.antrea.io resources: - packetcaptures/status verbs: - update - apiGroups: - crd.antrea.io resources: - egresses verbs: - get - watch - list - apiGroups: - crd.antrea.io resources: - egresses/status verbs: - update - apiGroups: - crd.antrea.io resources: - bgppolicies - externalippools - ippools - trafficcontrols - nodelatencymonitors verbs: - get - watch - list - apiGroups: - crd.antrea.io resources: - ippools/status verbs: - update - apiGroups: - crd.antrea.io resources: - flowexporterdestinations verbs: - get - watch - list - apiGroups: - k8s.cni.cncf.io resources: - network-attachment-definitions verbs: - get - list - watch - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests verbs: - get - watch - list - create - apiGroups: - multicluster.crd.antrea.io resources: - gateways verbs: - get - list - watch - patch - apiGroups: - multicluster.crd.antrea.io resources: - clusterinfoimports - labelidentities verbs: - get - list - watch - apiGroups: - "" resources: - secrets resourceNames: - antrea-bgp-passwords - antrea-packetcapture-fileserver-auth verbs: - get - list - watch - apiGroups: - events.k8s.io resources: - events verbs: - create - patch - update --- # Source: antrea/templates/antctl/clusterrole.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: antctl labels: app: antrea rules: - apiGroups: - controlplane.antrea.io resources: - networkpolicies - appliedtogroups - addressgroups verbs: - get - list - apiGroups: - controlplane.antrea.io resources: - networkpolicyevaluation verbs: - create - apiGroups: - stats.antrea.io resources: - networkpolicystats - antreaclusternetworkpolicystats - antreanetworkpolicystats verbs: - get - list - apiGroups: - system.antrea.io resources: - controllerinfos verbs: - get - apiGroups: - system.antrea.io resources: - supportbundles verbs: - create - get - apiGroups: - system.antrea.io resources: - supportbundles/download verbs: - get - nonResourceURLs: - /agentinfo - /addressgroups - /appliedtogroups - /loglevel - /networkpolicies - /ovsflows - /ovstracing - /podinterfaces - /featuregates - /serviceexternalip - /metrics - /debug/pprof - /debug/pprof/* verbs: - get - apiGroups: - crd.antrea.io resources: - antreacontrollerinfos - antreaagentinfos verbs: - get - list - apiGroups: - "" resources: - pods verbs: - list - apiGroups: - "" resources: - nodes verbs: - get - list - apiGroups: - apps resources: - daemonsets - deployments - replicasets verbs: - list - apiGroups: - "" resources: - configmaps resourceNames: - antrea-config - antrea-ca - antrea-ipsec-ca - antrea-cluster-identity verbs: - get --- # Source: antrea/templates/cluster-identity-reader/clusterrolebinding.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: antrea-cluster-identity-reader labels: app: antrea rules: - apiGroups: - "" resources: - configmaps resourceNames: - antrea-cluster-identity verbs: - get --- # Source: antrea/templates/controller/clusterrole.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: antrea-controller labels: app: antrea rules: - apiGroups: - "" resources: - pods - services - namespaces - configmaps verbs: - get - watch - list - apiGroups: - "" resources: - nodes verbs: - get - watch - list - patch - apiGroups: - "" resources: - services/status verbs: - update - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - watch - list - apiGroups: - authentication.k8s.io resources: - tokenreviews verbs: - create - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - update # This is the content of built-in role kube-system/extension-apiserver-authentication-reader. # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-controller) will # have permission issue after bumping up apiserver library to a version that supports dynamic authentication. # See https://github.com/kubernetes/kubernetes/pull/85375 # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on # the extension-apiserver-authentication role. - apiGroups: - "" resourceNames: - extension-apiserver-authentication resources: - configmaps verbs: - get - list - watch - apiGroups: - "" resources: - configmaps resourceNames: - antrea-ca - antrea-ipsec-ca - antrea-cluster-identity verbs: - get - update - apiGroups: - "" resources: - secrets resourceNames: - antrea-controller-tls - antrea-ipsec-ca verbs: - get - update - watch - list - apiGroups: - "" resources: - configmaps - secrets verbs: - create - apiGroups: - apiregistration.k8s.io resources: - apiservices verbs: - list - update - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - list - update - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests verbs: - get - list - watch - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests/approval - certificatesigningrequests/status verbs: - update - apiGroups: - certificates.k8s.io resources: - signers resourceNames: - antrea.io/antrea-agent-ipsec-tunnel verbs: - approve - sign - apiGroups: - crd.antrea.io resources: - antreacontrollerinfos verbs: - get - create - update - delete - apiGroups: - crd.antrea.io resources: - antreaagentinfos verbs: - list - create - delete - apiGroups: - crd.antrea.io resources: - clusternetworkpolicies - networkpolicies verbs: - get - watch - list - update - patch - create - delete - apiGroups: - crd.antrea.io resources: - clusternetworkpolicies/status - networkpolicies/status verbs: - update - apiGroups: - crd.antrea.io resources: - tiers verbs: - get - watch - list - update - patch - create - delete - apiGroups: - crd.antrea.io resources: - traceflows - traceflows/status verbs: - get - watch - list - update - patch - create - delete - apiGroups: - crd.antrea.io resources: - externalentities - clustergroups - groups verbs: - get - watch - list - update - patch - create - delete - apiGroups: - crd.antrea.io resources: - clustergroups/status - groups/status - egresses/status verbs: - update - apiGroups: - crd.antrea.io resources: - egresses verbs: - get - watch - list - update - patch - apiGroups: - crd.antrea.io resources: - externalippools - ippools verbs: - get - watch - list - apiGroups: - crd.antrea.io resources: - externalippools/status - ippools/status verbs: - update - patch - apiGroups: - crd.antrea.io resources: - externalnodes verbs: - get - watch - list - apiGroups: - apps resources: - statefulsets verbs: - get - list - watch - apiGroups: - crd.antrea.io resources: - supportbundlecollections verbs: - get - watch - list - apiGroups: - crd.antrea.io resources: - supportbundlecollections/status verbs: - update - apiGroups: - multicluster.crd.antrea.io resources: - labelidentities verbs: - get - list - watch - apiGroups: - policy.networking.k8s.io resources: - adminnetworkpolicies - baselineadminnetworkpolicies verbs: - get - list - watch --- # Source: antrea/templates/crds-rbac/clusterroles.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aggregate-antrea-policies-edit labels: app: antrea # Add these permissions to the "admin" and "edit" default roles. rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rules: - apiGroups: ["crd.antrea.io"] resources: ["clusternetworkpolicies", "networkpolicies"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] --- # Source: antrea/templates/crds-rbac/clusterroles.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: aggregate-antrea-policies-view labels: app: antrea # Add these permissions to the "view" default role. rbac.authorization.k8s.io/aggregate-to-view: "true" rules: - apiGroups: ["crd.antrea.io"] resources: ["clusternetworkpolicies", "networkpolicies"] verbs: ["get", "list", "watch"] --- # Source: antrea/templates/crds-rbac/clusterroles.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aggregate-traceflows-edit labels: app: antrea # Add these permissions to the "admin" and "edit" default roles. rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rules: - apiGroups: ["crd.antrea.io"] resources: ["traceflows"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] --- # Source: antrea/templates/crds-rbac/clusterroles.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: aggregate-traceflows-view labels: app: antrea # Add these permissions to the "view" default role. rbac.authorization.k8s.io/aggregate-to-view: "true" rules: - apiGroups: ["crd.antrea.io"] resources: ["traceflows"] verbs: ["get", "list", "watch"] --- # Source: antrea/templates/crds-rbac/clusterroles.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aggregate-antrea-clustergroups-edit labels: app: antrea # Add these permissions to the "admin" and "edit" default roles. rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rules: - apiGroups: ["crd.antrea.io"] resources: ["clustergroups"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] --- # Source: antrea/templates/crds-rbac/clusterroles.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: aggregate-antrea-clustergroups-view labels: app: antrea # Add these permissions to the "view" default role. rbac.authorization.k8s.io/aggregate-to-view: "true" rules: - apiGroups: ["crd.antrea.io"] resources: ["clustergroups"] verbs: ["get", "list", "watch"] --- # Source: antrea/templates/agent/clusterrolebinding.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: antrea-agent labels: app: antrea roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: antrea-agent subjects: - kind: ServiceAccount name: antrea-agent namespace: kube-system --- # Source: antrea/templates/antctl/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app: antrea name: antctl roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: antctl subjects: - kind: ServiceAccount name: antctl namespace: kube-system --- # Source: antrea/templates/controller/clusterrolebinding.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: antrea-controller labels: app: antrea roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: antrea-controller subjects: - kind: ServiceAccount name: antrea-controller namespace: kube-system --- # Source: antrea/templates/controller/service.yaml apiVersion: v1 kind: Service metadata: name: antrea namespace: kube-system labels: app: antrea spec: ports: - port: 443 protocol: TCP targetPort: api selector: app: antrea component: antrea-controller --- # Source: antrea/templates/agent/daemonset.yaml apiVersion: apps/v1 kind: DaemonSet metadata: name: antrea-agent namespace: kube-system labels: app: antrea component: antrea-agent spec: selector: matchLabels: app: antrea component: antrea-agent updateStrategy: type: RollingUpdate template: metadata: annotations: # Starting with v1.21, Kubernetes supports default container annotation. # Using "kubectl logs/exec/attach/cp" doesn't have to specify "-c antrea-agent" when troubleshooting. kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments checksum/config: ce43af869242f2d5f0787dd0b9643a42f005e0426c4bfd7e3f38abda8b7718bc labels: app: antrea component: antrea-agent spec: hostNetwork: true priorityClassName: system-node-critical nodeSelector: kubernetes.io/os: linux tolerations: - key: CriticalAddonsOnly operator: Exists - effect: NoSchedule operator: Exists - effect: NoExecute operator: Exists serviceAccountName: antrea-agent initContainers: - name: install-cni image: "antrea/antrea-agent-ubuntu:latest" imagePullPolicy: IfNotPresent resources: requests: cpu: 100m command: ["install_cni"] securityContext: capabilities: add: - SYS_MODULE env: # SKIP_CNI_BINARIES takes in values as a comma separated list of # binaries that need to be skipped for installation, e.g. "portmap, bandwidth". - name: SKIP_CNI_BINARIES value: "" # CONFIG_FILE_MODE set the file permission for 10-antrea.conflist. # The default value will be '644' if it's empty. - name: CONFIG_FILE_MODE value: "644" volumeMounts: - name: antrea-config mountPath: /etc/antrea/antrea-cni.conflist subPath: antrea-cni.conflist readOnly: true - name: host-cni-conf mountPath: /host/etc/cni/net.d - name: host-cni-bin mountPath: /host/opt/cni/bin # For loading the OVS kernel module. - name: host-lib-modules mountPath: /lib/modules readOnly: true # For changing the default permissions of the run directory. - name: host-var-run-antrea mountPath: /var/run/antrea containers: - name: antrea-agent image: "antrea/antrea-agent-ubuntu:latest" imagePullPolicy: IfNotPresent command: ["antrea-agent"] # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).- args: - "--config=/etc/antrea/antrea-agent.conf" - "--logtostderr=false" - "--log_dir=/var/log/antrea" - "--alsologtostderr" - "--log_file_max_size=100" - "--log_file_max_num=4" env: # Provide pod and node information for clusterinformation CRD. - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName resources: requests: cpu: 200m ports: - containerPort: 10350 name: api protocol: TCP livenessProbe: httpGet: host: localhost path: /livez port: api scheme: HTTPS initialDelaySeconds: 10 timeoutSeconds: 5 periodSeconds: 10 failureThreshold: 5 readinessProbe: httpGet: host: localhost path: /readyz port: api scheme: HTTPS initialDelaySeconds: 5 timeoutSeconds: 5 periodSeconds: 10 # In large-scale clusters, it may take up to 40~50 seconds for the antrea-agent to reconnect to the antrea # Service after the antrea-controller restarts. The antrea-agent shouldn't be reported as NotReady in this # scenario, otherwise the DaemonSet controller would restart all agents at once, as opposed to performing a # rolling update. Set failureThreshold to 8 so it can tolerate 70s of disconnection. failureThreshold: 8 securityContext: privileged: true volumeMounts: - name: antrea-config mountPath: /etc/antrea/antrea-agent.conf subPath: antrea-agent.conf readOnly: true - name: host-var-run-antrea mountPath: /var/run/antrea - name: host-var-run-antrea mountPath: /var/run/openvswitch subPath: openvswitch # host-local IPAM stores allocated IP addresses as files in /var/lib/cni/networks/$NETWORK_NAME. # Mount a sub-directory of host-var-run-antrea to it for persistence of IP allocation. - name: host-var-run-antrea mountPath: /var/lib/cni subPath: cni # We need to mount both the /proc directory and the /var/run/netns directory so that # antrea-agent can open the network namespace path when setting up Pod # networking. Different container runtimes may use /proc or /var/run/netns when invoking # the CNI commands. Docker uses /proc and containerd uses /var/run/netns. - name: host-var-log-antrea mountPath: /var/log/antrea - name: host-proc mountPath: /host/proc readOnly: true - name: host-var-run-netns mountPath: /host/var/run/netns readOnly: true # When a container is created, a mount point for the network namespace is added under # /var/run/netns on the host, which needs to be propagated to the antrea-agent container. mountPropagation: HostToContainer - name: xtables-lock mountPath: /run/xtables.lock - name: host-pod-resources mountPath: /var/lib/kubelet/pod-resources - name: antrea-ovs image: "antrea/antrea-agent-ubuntu:latest" imagePullPolicy: IfNotPresent resources: requests: cpu: 200m command: ["start_ovs"] args: - "--log_file_max_size=100" - "--log_file_max_num=4" securityContext: capabilities: add: - SYS_NICE - NET_ADMIN - SYS_ADMIN - IPC_LOCK livenessProbe: exec: # docker CRI doesn't honor timeoutSeconds, add "timeout" to the command as a workaround. # https://github.com/kubernetes/kubernetes/issues/51901 command: - /bin/sh - -c - timeout 10 container_liveness_probe ovs initialDelaySeconds: 5 timeoutSeconds: 10 periodSeconds: 10 failureThreshold: 5 volumeMounts: - name: host-var-run-antrea mountPath: /var/run/openvswitch subPath: openvswitch - name: host-var-log-antrea mountPath: /var/log/openvswitch subPath: openvswitch volumes: - name: antrea-config configMap: name: antrea-config - name: host-cni-conf hostPath: path: /etc/cni/net.d - name: host-cni-bin hostPath: path: /opt/cni/bin - name: host-proc hostPath: path: /proc - name: host-var-run-netns hostPath: path: /var/run/netns - name: host-var-run-antrea hostPath: path: /var/run/antrea # we use subPath to create run subdirectories for different component (e.g. OVS) and # subPath requires the base volume to exist type: DirectoryOrCreate - name: host-var-log-antrea hostPath: path: /var/log/antrea # we use subPath to create logging subdirectories for different component (e.g. OVS) type: DirectoryOrCreate - name: host-lib-modules hostPath: path: /lib/modules - name: xtables-lock hostPath: path: /run/xtables.lock type: FileOrCreate - name: host-pod-resources hostPath: path: /var/lib/kubelet/pod-resources type: Directory --- # Source: antrea/templates/controller/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: antrea-controller namespace: kube-system labels: app: antrea component: antrea-controller spec: strategy: # Ensure the existing Pod is stopped before the new one is created. type: Recreate selector: matchLabels: app: antrea component: antrea-controller replicas: 1 template: metadata: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments checksum/config: ce43af869242f2d5f0787dd0b9643a42f005e0426c4bfd7e3f38abda8b7718bc labels: app: antrea component: antrea-controller spec: nodeSelector: kubernetes.io/os: linux hostNetwork: true priorityClassName: system-cluster-critical tolerations: - key: CriticalAddonsOnly operator: Exists - effect: NoSchedule key: node-role.kubernetes.io/master - effect: NoSchedule key: node-role.kubernetes.io/control-plane - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 0 serviceAccountName: antrea-controller containers: - name: antrea-controller image: "antrea/antrea-controller-ubuntu:latest" imagePullPolicy: IfNotPresent resources: requests: cpu: 200m memory: 100Mi command: ["antrea-controller"] # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work). args: - "--config=/etc/antrea/antrea-controller.conf" - "--logtostderr=false" - "--log_dir=/var/log/antrea" - "--alsologtostderr" - "--log_file_max_size=100" - "--log_file_max_num=4" env: # Provide pod and node information for clusterinformation CRD. - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName # Provide ServiceAccount name for validation webhook. - name: SERVICEACCOUNT_NAME valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: ANTREA_CONFIG_MAP_NAME value: antrea-config ports: - containerPort: 10349 name: api protocol: TCP readinessProbe: httpGet: host: localhost path: /readyz port: api scheme: HTTPS initialDelaySeconds: 5 timeoutSeconds: 5 periodSeconds: 10 failureThreshold: 5 livenessProbe: httpGet: host: localhost path: /livez port: api scheme: HTTPS timeoutSeconds: 5 periodSeconds: 10 failureThreshold: 5 volumeMounts: - name: antrea-config mountPath: /etc/antrea/antrea-controller.conf subPath: antrea-controller.conf readOnly: true - name: antrea-controller-tls mountPath: /var/run/antrea/antrea-controller-tls - name: host-var-log-antrea mountPath: /var/log/antrea volumes: - name: antrea-config configMap: name: antrea-config # Make it optional as we only read it when selfSignedCert=false. - name: antrea-controller-tls secret: secretName: antrea-controller-tls defaultMode: 0400 optional: true - name: host-var-log-antrea hostPath: path: /var/log/antrea type: DirectoryOrCreate --- # Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: v1beta2.controlplane.antrea.io labels: app: antrea served-by: antrea-controller spec: group: controlplane.antrea.io groupPriorityMinimum: 100 version: v1beta2 versionPriority: 100 service: name: antrea namespace: kube-system --- # Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: v1beta1.system.antrea.io labels: app: antrea served-by: antrea-controller spec: group: system.antrea.io groupPriorityMinimum: 100 version: v1beta1 versionPriority: 100 service: name: antrea namespace: kube-system --- # Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: v1alpha1.stats.antrea.io labels: app: antrea served-by: antrea-controller spec: group: stats.antrea.io groupPriorityMinimum: 100 version: v1alpha1 versionPriority: 100 service: name: antrea namespace: kube-system --- # Source: antrea/templates/webhooks/mutating/crdmutator.yaml apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: "crdmutator.antrea.io" labels: app: antrea served-by: antrea-controller webhooks: - name: "acnpmutator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/mutate/acnp" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1beta1"] resources: ["clusternetworkpolicies"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "annpmutator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/mutate/annp" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1beta1"] resources: ["networkpolicies"] scope: "Namespaced" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 --- # Source: antrea/templates/webhooks/validating/crdvalidator.yaml apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: "crdvalidator.antrea.io" labels: app: antrea served-by: antrea-controller webhooks: - name: "tiervalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/tier" rules: - operations: ["CREATE", "UPDATE", "DELETE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1beta1"] resources: ["tiers"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "acnpvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/acnp" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1beta1"] resources: ["clusternetworkpolicies"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "annpvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/annp" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1beta1"] resources: ["networkpolicies"] scope: "Namespaced" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "anpvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/anp" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["policy.networking.k8s.io"] apiVersions: ["v1alpha1"] resources: ["adminnetworkpolicies"] admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "banpvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/banp" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["policy.networking.k8s.io"] apiVersions: ["v1alpha1"] resources: ["baselineadminnetworkpolicies"] admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "clustergroupvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/clustergroup" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1beta1"] resources: ["clustergroups"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "groupvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: "kube-system" path: "/validate/group" rules: - operations: [ "CREATE", "UPDATE" ] apiGroups: [ "crd.antrea.io" ] apiVersions: [ "v1beta1" ] resources: [ "groups" ] scope: "Namespaced" admissionReviewVersions: [ "v1", "v1beta1" ] sideEffects: None timeoutSeconds: 5 - name: "externalippoolvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/externalippool" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1alpha2", "v1beta1"] resources: ["externalippools"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "egressvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/egress" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1beta1"] resources: ["egresses"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "ippoolvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/ippool" rules: - operations: ["CREATE", "UPDATE", "DELETE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1beta1"] resources: ["ippools"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "supportbundlecollectionvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/supportbundlecollection" rules: - operations: ["CREATE", "UPDATE", "DELETE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1alpha1"] resources: ["supportbundlecollections"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "traceflowvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/traceflow" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1beta1"] resources: ["traceflows"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5