--- # Source: antrea/crds/antreaagentinfo.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: antreaagentinfos.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true schema: openAPIV3Schema: type: object properties: version: type: string agentConditions: type: array items: type: object required: - type - status - lastHeartbeatTime properties: lastHeartbeatTime: type: string format: date-time type: type: string enum: ['AgentHealthy', 'ControllerConnectionUp', 'OVSDBConnectionUp', 'OpenflowConnectionUp'] status: type: string enum: ['True', 'False', 'Unknown'] reason: type: string message: type: string localPodNum: type: integer format: int32 nodePortLocalPortRange: type: string nodeSubnets: type: array items: type: string apiCABundle: type: string format: byte ovsInfo: type: object properties: version: type: string bridgeName: type: string flowTable: type: object additionalProperties: type: integer format: int32 networkPolicyControllerInfo: type: object properties: networkPolicyNum: type: integer format: int32 addressGroupNum: type: integer format: int32 appliedToGroupNum: type: integer format: int32 apiPort: type: integer minimum: 1 maximum: 65535 podRef: type: object properties: kind: type: string namespace: type: string name: type: string uid: type: string apiVersion: type: string resourceVersion: type: string fieldPath: type: string nodeRef: type: object properties: kind: type: string namespace: type: string name: type: string uid: type: string apiVersion: type: string resourceVersion: type: string fieldPath: type: string additionalPrinterColumns: - description: Health status of this Agent jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" name: Healthy type: string - description: Last time the Healthy Condition was updated jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" name: Last Heartbeat type: date - description: Version of this Agent jsonPath: ".version" name: Version type: string priority: 1 - description: Node on which this Agent is running jsonPath: ".nodeRef.name" name: Node type: string priority: 1 - description: Number of local Pods managed by this Agent jsonPath: ".localPodNum" name: Num Pods type: integer priority: 2 - description: Subnets used by this Agent for Pod IPAM jsonPath: ".nodeSubnets" name: Subnets type: string priority: 2 scope: Cluster names: plural: antreaagentinfos singular: antreaagentinfo kind: AntreaAgentInfo shortNames: - aai --- # Source: antrea/crds/antreacontrollerinfo.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: antreacontrollerinfos.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true schema: openAPIV3Schema: type: object properties: version: type: string controllerConditions: type: array items: type: object required: - type - status - lastHeartbeatTime properties: lastHeartbeatTime: type: string format: date-time status: type: string enum: ['True', 'False', 'Unknown'] type: type: string enum: ['ControllerHealthy'] reason: type: string message: type: string serviceRef: type: object properties: kind: type: string namespace: type: string name: type: string uid: type: string apiVersion: type: string resourceVersion: type: string fieldPath: type: string networkPolicyControllerInfo: type: object properties: networkPolicyNum: type: integer format: int32 addressGroupNum: type: integer format: int32 appliedToGroupNum: type: integer format: int32 apiPort: type: integer minimum: 1 maximum: 65535 connectedAgentNum: type: integer format: int32 podRef: type: object properties: kind: type: string namespace: type: string name: type: string uid: type: string apiVersion: type: string resourceVersion: type: string fieldPath: type: string nodeRef: type: object properties: kind: type: string namespace: type: string name: type: string uid: type: string apiVersion: type: string resourceVersion: type: string fieldPath: type: string additionalPrinterColumns: - description: Health status of the Controller jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" name: Healthy type: string - description: Last time the Healthy Condition was updated jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" name: Last Heartbeat type: date - description: Version of the Controller jsonPath: ".version" name: Version type: string priority: 1 - description: Number of Agents connected to the Controller jsonPath: ".connectedAgentNum" name: Connected Agents type: integer priority: 1 - description: Node on which the Controller is running jsonPath: ".nodeRef.name" name: Node type: string priority: 1 - description: Number of Network Policies computed by Controller jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" name: Num Network Policies type: integer priority: 2 scope: Cluster names: plural: antreacontrollerinfos singular: antreacontrollerinfo kind: AntreaControllerInfo shortNames: - aci --- # Source: antrea/crds/bgppolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: bgppolicies.crd.antrea.io spec: group: crd.antrea.io versions: - name: v1alpha1 served: true storage: true schema: openAPIV3Schema: type: object required: - spec properties: spec: type: object required: - nodeSelector - localASN properties: nodeSelector: type: object properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true localASN: type: integer format: int32 minimum: 64512 maximum: 65535 listenPort: type: integer format: int32 minimum: 1 maximum: 65535 default: 179 advertisements: type: object properties: service: type: object properties: ipTypes: type: array items: type: string enum: - ClusterIP - LoadBalancerIP - ExternalIP pod: type: object properties: {} egress: type: object properties: {} bgpPeers: type: array items: type: object required: - address - asn properties: address: type: string oneOf: - format: ipv4 - format: ipv6 port: type: integer format: int32 minimum: 1 maximum: 65535 default: 179 asn: type: integer format: int32 minimum: 1 maximum: 65535 multihopTTL: type: integer format: int32 minimum: 1 maximum: 255 default: 1 gracefulRestartTimeSeconds: type: integer format: int32 minimum: 1 maximum: 3600 default: 120 additionalPrinterColumns: - description: Local BGP AS number jsonPath: .spec.localASN name: Local ASN type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date scope: Cluster names: plural: bgppolicies singular: bgppolicy kind: BGPPolicy --- # Source: antrea/crds/clustergroup.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: clustergroups.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object properties: childGroups: type: array items: type: string podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object externalEntitySelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object ipBlocks: type: array items: type: object properties: cidr: type: string format: cidr except: type: array items: type: string format: cidr serviceReference: type: object properties: name: type: string namespace: type: string status: type: object properties: conditions: type: array items: type: object properties: type: type: string status: type: string lastTransitionTime: type: string subresources: status: { } scope: Cluster names: plural: clustergroups singular: clustergroup kind: ClusterGroup shortNames: - cg --- # Source: antrea/crds/clusternetworkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: clusternetworkpolicies.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true additionalPrinterColumns: - name: Tier type: string description: The Tier to which this ClusterNetworkPolicy belongs to. jsonPath: .spec.tier - name: Priority type: number format: float description: The Priority of this ClusterNetworkPolicy relative to other policies. jsonPath: .spec.priority - name: Desired Nodes type: number format: int32 description: The total number of Nodes that should realize the NetworkPolicy. jsonPath: .status.desiredNodesRealized - name: Current Nodes type: number format: int32 description: The number of Nodes that have realized the NetworkPolicy. jsonPath: .status.currentNodesRealized - name: Age type: date jsonPath: .metadata.creationTimestamp schema: openAPIV3Schema: type: object properties: spec: # Ensure that Spec.Priority field is set required: - priority type: object properties: tier: type: string priority: type: number format: float # Ensure that Spec.Priority field is between 1 and 10000 minimum: 1.0 maximum: 10000.0 appliedTo: type: array items: type: object # Ensure that Spec.AppliedTo does not allow IPBlock field properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object group: type: string serviceAccount: type: object properties: name: type: string namespace: type: string required: - name - namespace service: type: object properties: name: type: string namespace: type: string required: - name - namespace nodeSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object ingress: type: array items: type: object required: - action properties: appliedTo: type: array items: type: object # Ensure that rule AppliedTo does not allow IPBlock field properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object group: type: string serviceAccount: type: object properties: name: type: string namespace: type: string required: - name - namespace service: type: object properties: name: type: string namespace: type: string required: - name - namespace # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: type: object properties: protocol: type: string enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: type: integer sourcePort: type: integer sourceEndPort: type: integer protocols: type: array items: type: object oneOf: - required: [ icmp ] - required: [ igmp ] properties: icmp: type: object properties: icmpType: type: integer minimum: 0 maximum: 255 icmpCode: type: integer minimum: 0 maximum: 255 igmp: type: object properties: igmpType: type: integer # Only IGMP query (0x11) is valid igmpType in ingress rules. enum: [ 0x11 ] groupAddress: type: string oneOf: - format: ipv4 - format: ipv6 l7Protocols: type: array items: type: object oneOf: - required: [ http ] - required: [ tls ] properties: http: type: object properties: host: type: string method: type: string enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: type: object properties: sni: type: string from: type: array items: type: object properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaces: type: object maxProperties: 1 minProperties: 1 properties: match: type: string enum: - Self sameLabels: type: array items: type: string ipBlock: type: object properties: cidr: type: string format: cidr except: type: array items: type: string format: cidr group: type: string serviceAccount: type: object properties: name: type: string namespace: type: string required: - name - namespace nodeSelector: type: object properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: array type: object type: array matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object scope: type: string enum: [ 'Cluster', 'ClusterSet' ] name: type: string enableLogging: type: boolean logLabel: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" egress: type: array items: type: object required: - action properties: appliedTo: type: array items: type: object # Ensure that rule AppliedTo does not allow IPBlock field properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object group: type: string serviceAccount: type: object properties: name: type: string namespace: type: string required: - name - namespace # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: type: object properties: protocol: type: string enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: type: integer sourcePort: type: integer sourceEndPort: type: integer protocols: type: array items: type: object oneOf: - required: [ icmp ] - required: [ igmp ] properties: icmp: type: object properties: icmpType: type: integer minimum: 0 maximum: 255 icmpCode: type: integer minimum: 0 maximum: 255 igmp: type: object properties: igmpType: type: integer # Only IGMP reports are igmpType in egress rules, # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. # It will match all IGMP report types if igmpType is not set. enum: [ 0x12, 0x16, 0x22 ] groupAddress: type: string oneOf: - format: ipv4 - format: ipv6 l7Protocols: type: array items: type: object oneOf: - required: [ http ] - required: [ tls ] properties: http: type: object properties: host: type: string method: type: string enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: type: object properties: sni: type: string to: type: array items: type: object properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaces: type: object maxProperties: 1 minProperties: 1 properties: match: type: string enum: - Self sameLabels: type: array items: type: string ipBlock: type: object properties: cidr: type: string format: cidr except: type: array items: type: string format: cidr group: type: string fqdn: type: string serviceAccount: type: object properties: name: type: string namespace: type: string required: - name - namespace nodeSelector: type: object properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: array type: object type: array matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object toServices: type: array items: type: object required: - name - namespace properties: name: type: string namespace: type: string scope: type: string enum: [ 'Cluster', 'ClusterSet' ] name: type: string enableLogging: type: boolean logLabel: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" status: type: object properties: phase: type: string observedGeneration: type: integer currentNodesRealized: type: integer desiredNodesRealized: type: integer conditions: type: array items: type: object properties: type: type: string status: type: string lastTransitionTime: type: string reason: type: string message: type: string subresources: status: { } scope: Cluster names: plural: clusternetworkpolicies singular: clusternetworkpolicy kind: ClusterNetworkPolicy shortNames: - acnp --- # Source: antrea/crds/egress.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: egresses.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true schema: openAPIV3Schema: type: object required: - spec properties: spec: type: object required: - appliedTo oneOf: - anyOf: - required: - egressIP - required: - externalIPPool - anyOf: - required: - egressIPs - required: - externalIPPools properties: appliedTo: type: object properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: type: object additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: type: object additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" egressIP: type: string oneOf: - format: ipv4 - format: ipv6 egressIPs: type: array items: type: string oneOf: - maxLength: 0 - format: ipv4 - format: ipv6 externalIPPool: type: string externalIPPools: type: array items: type: string bandwidth: type: object required: - rate - burst properties: rate: type: string burst: type: string status: type: object properties: egressNode: type: string egressIP: type: string conditions: type: array items: type: object properties: type: type: string status: type: string lastTransitionTime: type: string reason: type: string message: type: string additionalPrinterColumns: - description: The effective SNAT IP address for the selected workloads. jsonPath: .status.egressIP name: EgressIP type: string - jsonPath: .metadata.creationTimestamp name: Age type: date - description: The Owner Node of egress IP jsonPath: .status.egressNode name: Node type: string subresources: status: {} scope: Cluster names: plural: egresses singular: egress kind: Egress shortNames: - eg --- # Source: antrea/crds/externalentity.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: externalentities.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1alpha2 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object properties: endpoints: type: array items: type: object properties: ip: type: string oneOf: - format: ipv4 - format: ipv6 name: type: string ports: type: array items: type: object properties: protocol: type: string enum: ['TCP', 'UDP', 'SCTP'] port: x-kubernetes-int-or-string: true name: type: string externalNode: type: string scope: Namespaced names: plural: externalentities singular: externalentity kind: ExternalEntity shortNames: - ee --- # Source: antrea/crds/externalippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: externalippools.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true schema: openAPIV3Schema: type: object required: - spec properties: spec: type: object required: - ipRanges - nodeSelector properties: ipRanges: type: array items: type: object oneOf: - required: - cidr - required: - start - end properties: cidr: type: string format: cidr start: type: string oneOf: - format: ipv4 - format: ipv6 end: type: string oneOf: - format: ipv4 - format: ipv6 subnetInfo: type: object required: - gateway - prefixLength properties: gateway: type: string oneOf: - format: ipv4 - format: ipv6 prefixLength: type: integer minimum: 1 maximum: 127 vlan: type: integer minimum: 0 maximum: 4094 nodeSelector: type: object properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: array type: object type: array matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object status: type: object properties: usage: type: object properties: total: type: integer used: type: integer additionalPrinterColumns: - description: The number of total IPs jsonPath: .status.usage.total name: Total type: integer - description: The number of allocated IPs jsonPath: .status.usage.used name: Used type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date subresources: status: { } scope: Cluster names: plural: externalippools singular: externalippool kind: ExternalIPPool shortNames: - eip --- # Source: antrea/crds/externalnode.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: externalnodes.crd.antrea.io spec: group: crd.antrea.io versions: - name: v1alpha1 schema: openAPIV3Schema: type: object required: - spec properties: spec: type: object required: - interfaces properties: interfaces: type: array minItems: 1 maxItems: 1 required: - ips items: type: object properties: ips: type: array minItems: 1 items: type: string oneOf: - format: ipv4 - format: ipv6 name: type: string served: true storage: true scope: Namespaced names: plural: externalnodes singular: externalnode kind: ExternalNode shortNames: - en --- # Source: antrea/crds/group.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: groups.crd.antrea.io spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object properties: childGroups: type: array items: type: string podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string matchLabels: x-kubernetes-preserve-unknown-fields: true namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string matchLabels: x-kubernetes-preserve-unknown-fields: true externalEntitySelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string matchLabels: x-kubernetes-preserve-unknown-fields: true ipBlocks: type: array items: type: object properties: cidr: type: string format: cidr except: type: array items: type: string format: cidr serviceReference: type: object properties: name: type: string namespace: type: string status: type: object properties: conditions: type: array items: type: object properties: type: type: string status: type: string lastTransitionTime: type: string subresources: status: { } scope: Namespaced names: plural: groups singular: group kind: Group shortNames: - grp --- # Source: antrea/crds/ippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: ippools.crd.antrea.io labels: app: antrea served-by: antrea-controller spec: group: crd.antrea.io versions: - name: v1alpha2 served: true storage: false deprecated: true deprecationWarning: "crd.antrea.io/v1alpha2 IPPool is deprecated; use crd.antrea.io/v1beta1 IPPool" schema: openAPIV3Schema: type: object required: - spec properties: spec: required: - ipVersion - ipRanges type: object properties: ipVersion: type: integer enum: [ 4, 6 ] ipRanges: items: oneOf: - required: - cidr - gateway - prefixLength - required: - start - end - gateway - prefixLength properties: cidr: format: cidr type: string start: oneOf: - format: ipv4 - format: ipv6 type: string end: oneOf: - format: ipv4 - format: ipv6 type: string gateway: oneOf: - format: ipv4 - format: ipv6 type: string prefixLength: type: integer minimum: 1 maximum: 128 vlan: type: integer minimum: 0 maximum: 4094 type: object type: array status: properties: ipAddresses: items: properties: ipAddress: type: string owner: properties: pod: properties: name: type: string namespace: type: string containerID: type: string ifName: type: string type: object statefulSet: properties: name: type: string namespace: type: string index: type: integer type: object type: object phase: type: string type: object type: array usage: properties: used: type: integer total: type: integer type: object type: object additionalPrinterColumns: - description: The number of total IPs jsonPath: .status.usage.total name: Total type: integer - description: The number of allocated IPs jsonPath: .status.usage.used name: Used type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date subresources: status: {} - name: v1beta1 served: true storage: true schema: openAPIV3Schema: type: object required: - spec properties: spec: required: - ipRanges - subnetInfo type: object properties: ipRanges: items: oneOf: - required: - cidr - required: - start - end properties: cidr: format: cidr type: string start: oneOf: - format: ipv4 - format: ipv6 type: string end: oneOf: - format: ipv4 - format: ipv6 type: string type: object type: array subnetInfo: type: object required: - gateway - prefixLength properties: gateway: type: string oneOf: - format: ipv4 - format: ipv6 prefixLength: type: integer minimum: 1 maximum: 127 vlan: type: integer minimum: 0 maximum: 4094 status: properties: ipAddresses: items: properties: ipAddress: type: string owner: properties: pod: properties: name: type: string namespace: type: string containerID: type: string ifName: type: string type: object statefulSet: properties: name: type: string namespace: type: string index: type: integer type: object type: object phase: type: string type: object type: array usage: properties: used: type: integer total: type: integer type: object type: object additionalPrinterColumns: - description: The number of total IPs jsonPath: .status.usage.total name: Total type: integer - description: The number of allocated IPs jsonPath: .status.usage.used name: Used type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date subresources: status: {} conversion: strategy: Webhook webhook: conversionReviewVersions: ["v1", "v1beta1"] clientConfig: service: name: "antrea" namespace: "kube-system" path: "/convert/ippool" scope: Cluster names: plural: ippools singular: ippool kind: IPPool shortNames: - ipp --- # Source: antrea/crds/networkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: networkpolicies.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true additionalPrinterColumns: - name: Tier type: string description: The Tier to which this Antrea NetworkPolicy belongs to. jsonPath: .spec.tier - name: Priority type: number format: float description: The Priority of this Antrea NetworkPolicy relative to other policies. jsonPath: .spec.priority - name: Desired Nodes type: number format: int32 description: The total number of Nodes that should realize the NetworkPolicy. jsonPath: .status.desiredNodesRealized - name: Current Nodes type: number format: int32 description: The number of Nodes that have realized the NetworkPolicy. jsonPath: .status.currentNodesRealized - name: Age type: date jsonPath: .metadata.creationTimestamp schema: openAPIV3Schema: type: object properties: spec: # Ensure that Spec.Priority field is set required: - priority type: object properties: tier: type: string priority: type: number format: float # Ensure that Spec.Priority field is between 1 and 10000 minimum: 1.0 maximum: 10000.0 appliedTo: type: array items: type: object # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field properties: externalEntitySelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object group: type: string ingress: type: array items: type: object required: - action properties: appliedTo: type: array items: type: object # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object group: type: string # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: type: object properties: protocol: type: string enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: type: integer sourcePort: type: integer sourceEndPort: type: integer protocols: type: array items: type: object oneOf: - required: [ icmp ] - required: [ igmp ] properties: icmp: type: object properties: icmpType: type: integer minimum: 0 maximum: 255 icmpCode: type: integer minimum: 0 maximum: 255 igmp: type: object properties: igmpType: type: integer # Only IGMP query (0x11) is valid igmpType in ingress rules. enum: [ 0x11 ] groupAddress: type: string oneOf: - format: ipv4 - format: ipv6 l7Protocols: type: array items: type: object oneOf: - required: [ http ] - required: [ tls ] properties: http: type: object properties: host: type: string method: type: string enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: type: object properties: sni: type: string from: type: array items: type: object properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object externalEntitySelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object ipBlock: type: object properties: cidr: type: string format: cidr except: type: array items: type: string format: cidr nodeSelector: type: object properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: array type: object type: array matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object group: type: string scope: type: string enum: [ 'Cluster', 'ClusterSet' ] name: type: string enableLogging: type: boolean logLabel: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" egress: type: array items: type: object required: - action properties: appliedTo: type: array items: type: object # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object group: type: string # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ] ports: type: array items: type: object properties: protocol: type: string enum: [ 'TCP', 'UDP', 'SCTP' ] port: x-kubernetes-int-or-string: true endPort: type: integer sourcePort: type: integer sourceEndPort: type: integer protocols: type: array items: type: object oneOf: - required: [ icmp ] - required: [ igmp ] properties: icmp: type: object properties: icmpType: type: integer minimum: 0 maximum: 255 icmpCode: type: integer minimum: 0 maximum: 255 igmp: type: object properties: igmpType: type: integer # Only IGMP reports are igmpType in egress rules, # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. # It will match all IGMP report types if igmpType is not set. enum: [ 0x12, 0x16, 0x22 ] groupAddress: type: string oneOf: - format: ipv4 - format: ipv6 l7Protocols: type: array items: type: object oneOf: - required: [ http ] - required: [ tls ] properties: http: type: object properties: host: type: string method: type: string enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ] path: type: string tls: type: object properties: sni: type: string to: type: array items: type: object properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object externalEntitySelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object ipBlock: type: object properties: cidr: type: string format: cidr except: type: array items: type: string format: cidr fqdn: type: string nodeSelector: type: object properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: array type: object type: array matchLabels: additionalProperties: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: object group: type: string toServices: type: array items: type: object required: - name properties: name: type: string namespace: type: string scope: type: string name: type: string enableLogging: type: boolean logLabel: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$" status: type: object properties: phase: type: string observedGeneration: type: integer currentNodesRealized: type: integer desiredNodesRealized: type: integer conditions: type: array items: type: object properties: type: type: string status: type: string lastTransitionTime: type: string reason: type: string message: type: string subresources: status: { } scope: Namespaced names: plural: networkpolicies singular: networkpolicy kind: NetworkPolicy shortNames: - annp # Deprecated shortName and shall be removed in Antrea v1.14.0 - anp --- # Source: antrea/crds/nodelatencymonitor.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: nodelatencymonitors.crd.antrea.io spec: group: crd.antrea.io versions: - name: v1alpha1 served: true storage: true schema: openAPIV3Schema: type: object required: - spec properties: spec: type: object required: - pingIntervalSeconds properties: pingIntervalSeconds: type: integer format: int32 minimum: 1 description: "Ping interval in seconds, must be at least 1." default: 60 metadata: type: object properties: name: type: string pattern: '^default$' additionalPrinterColumns: - description: Specifies the interval between pings. jsonPath: .spec.pingIntervalSeconds name: PingIntervalSeconds type: string - jsonPath: .metadata.creationTimestamp name: Age type: date scope: Cluster names: plural: nodelatencymonitors singular: nodelatencymonitor kind: NodeLatencyMonitor shortNames: - nlm --- # Source: antrea/crds/packetcapture.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: packetcaptures.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1alpha1 served: true storage: true additionalPrinterColumns: - jsonPath: .spec.source.pod description: The name of the source Pod. name: Source-Pod type: string priority: 10 - jsonPath: .spec.destination.pod description: The name of the destination Pod. name: Destination-Pod type: string priority: 10 - jsonPath: .spec.source.ip description: The IP address of the source. name: Source-IP type: string priority: 10 - jsonPath: .spec.destination.ip description: The IP address of the destination. name: Destination-IP type: string priority: 10 - jsonPath: .spec.timeout description: Timeout in seconds. name: Timeout type: integer priority: 10 - jsonPath: .metadata.creationTimestamp name: Age type: date schema: openAPIV3Schema: type: object required: - spec properties: spec: type: object required: - source - captureConfig - destination anyOf: - properties: source: required: [pod] - properties: destination: required: [pod] properties: source: type: object oneOf: - required: - pod - required: - ip properties: pod: type: object required: - name properties: namespace: type: string default: default name: type: string ip: type: string format: ipv4 destination: type: object oneOf: - required: - pod - required: - ip properties: pod: type: object required: - name properties: namespace: type: string default: default name: type: string ip: type: string format: ipv4 packet: type: object properties: ipFamily: type: string enum: [IPv4] default: IPv4 protocol: x-kubernetes-int-or-string: true transportHeader: type: object properties: udp: type: object properties: srcPort: type: integer minimum: 1 maximum: 65535 dstPort: type: integer minimum: 1 maximum: 65535 tcp: type: object properties: srcPort: type: integer minimum: 1 maximum: 65535 dstPort: type: integer minimum: 1 maximum: 65535 timeout: type: integer minimum: 1 maximum: 300 default: 60 captureConfig: type: object oneOf: - required: - firstN properties: firstN: type: object required: - number properties: number: type: integer format: int32 fileServer: type: object properties: url: type: string pattern: 'sftp:\/\/[\w-_./]+:\d+' status: type: object properties: numberCaptured: type: integer filePath: type: string conditions: type: array items: type: object properties: type: type: string status: type: string lastTransitionTime: type: string reason: type: string message: type: string subresources: status: {} scope: Cluster names: plural: packetcaptures singular: packetcapture kind: PacketCapture shortNames: - pcap --- # Source: antrea/crds/supportbundlecollection.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: supportbundlecollections.crd.antrea.io spec: group: crd.antrea.io versions: - name: v1alpha1 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object required: - fileServer - authentication anyOf: - required: - nodes - required: - externalNodes properties: nodes: type: object properties: nodeNames: type: array items: type: string nodeSelector: type: object properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true externalNodes: type: object required: - namespace properties: namespace: type: string nodeNames: type: array items: type: string nodeSelector: type: object properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true expirationMinutes: type: integer default: 60 sinceTime: type: string format: duration fileServer: type: object properties: url: type: string authentication: type: object properties: authType: type: string enum: ["BearerToken", "APIKey", "BasicAuthentication"] authSecret: type: object properties: name: type: string namespace: type: string status: type: object properties: collectedNodes: type: integer desiredNodes: type: integer conditions: type: array items: type: object properties: type: type: string status: type: string lastTransitionTime: type: string reason: type: string message: type: string subresources: status: {} scope: Cluster names: plural: supportbundlecollections singular: supportbundlecollection kind: SupportBundleCollection shortNames: - sbc --- # Source: antrea/crds/tier.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: tiers.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true additionalPrinterColumns: - name: Priority type: integer description: The Priority of this Tier relative to other Tiers. jsonPath: .spec.priority - name: Age type: date jsonPath: .metadata.creationTimestamp schema: openAPIV3Schema: type: object properties: spec: required: - priority type: object properties: priority: type: integer minimum: 0 maximum: 255 description: type: string scope: Cluster names: plural: tiers singular: tier kind: Tier shortNames: - tr --- # Source: antrea/crds/traceflow.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: traceflows.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - name: v1beta1 served: true storage: true additionalPrinterColumns: - jsonPath: .status.phase description: The phase of the Traceflow. name: Phase type: string - jsonPath: .spec.source.pod description: The name of the source Pod. name: Source-Pod type: string priority: 10 - jsonPath: .spec.destination.pod description: The name of the destination Pod. name: Destination-Pod type: string priority: 10 - jsonPath: .spec.destination.ip description: The IP address of the destination. name: Destination-IP type: string priority: 10 - jsonPath: .spec.liveTraffic description: Trace live traffic. name: Live-Traffic type: boolean priority: 10 - jsonPath: .spec.droppedOnly description: Capture only the dropped packet. name: Dropped-Only type: boolean priority: 10 - jsonPath: .spec.timeout description: Timeout in seconds. name: Timeout type: integer priority: 10 - jsonPath: .metadata.creationTimestamp name: Age type: date schema: openAPIV3Schema: type: object required: - spec properties: spec: type: object properties: source: type: object properties: pod: type: string namespace: type: string ip: type: string oneOf: - format: ipv4 - format: ipv6 destination: type: object properties: pod: type: string service: type: string namespace: type: string ip: type: string oneOf: - format: ipv4 - format: ipv6 packet: type: object properties: ipHeader: type: object properties: protocol: type: integer minimum: 0 maximum: 255 ttl: type: integer minimum: 0 maximum: 255 flags: type: integer minimum: 0 maximum: 7 ipv6Header: type: object properties: nextHeader: type: integer minimum: 0 maximum: 65535 hopLimit: type: integer minimum: 0 maximum: 65535 transportHeader: type: object properties: icmp: type: object properties: id: type: integer minimum: 0 maximum: 65535 sequence: type: integer minimum: 0 maximum: 65535 udp: type: object properties: srcPort: type: integer minimum: 1 maximum: 65535 dstPort: type: integer minimum: 1 maximum: 65535 tcp: type: object properties: srcPort: type: integer minimum: 1 maximum: 65535 dstPort: type: integer minimum: 1 maximum: 65535 flags: type: integer minimum: 0 maximum: 255 liveTraffic: type: boolean droppedOnly: type: boolean timeout: type: integer minimum: 1 maximum: 300 status: type: object properties: reason: type: string dataplaneTag: type: integer phase: type: string startTime: type: string results: type: array items: type: object properties: node: type: string role: type: string timestamp: type: integer observations: type: array items: type: object properties: component: type: string componentInfo: type: string action: type: string pod: type: string dstMAC: type: string networkPolicy: type: string networkPolicyRule: type: string ttl: type: integer minimum: 0 maximum: 255 translatedSrcIP: type: string translatedDstIP: type: string tunnelDstIP: type: string egressIP: type: string egress: type: string egressNode: type: string srcPodIP: type: string capturedPacket: properties: srcIP: type: string dstIP: type: string length: type: integer minimum: 0 maximum: 65535 ipHeader: properties: flags: type: integer minimum: 0 maximum: 7 protocol: type: integer minimum: 0 maximum: 255 ttl: type: integer minimum: 0 maximum: 255 type: object ipv6Header: properties: hopLimit: type: integer minimum: 0 maximum: 65535 nextHeader: type: integer minimum: 0 maximum: 65535 type: object transportHeader: properties: tcp: properties: dstPort: type: integer minimum: 1 maximum: 65535 srcPort: type: integer minimum: 1 maximum: 65535 flags: type: integer minimum: 0 maximum: 255 type: object udp: properties: dstPort: type: integer minimum: 1 maximum: 65535 srcPort: type: integer minimum: 1 maximum: 65535 type: object icmp: properties: id: type: integer minimum: 0 maximum: 65535 sequence: type: integer minimum: 0 maximum: 65535 type: object type: object type: object subresources: status: {} scope: Cluster names: plural: traceflows singular: traceflow kind: Traceflow shortNames: - tf --- # Source: antrea/crds/trafficcontrol.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: trafficcontrols.crd.antrea.io spec: group: crd.antrea.io versions: - name: v1alpha2 served: true storage: true schema: openAPIV3Schema: type: object required: - spec properties: spec: type: object required: - appliedTo - direction - action - targetPort properties: appliedTo: type: object properties: podSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: x-kubernetes-preserve-unknown-fields: true namespaceSelector: type: object properties: matchExpressions: type: array items: type: object properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: x-kubernetes-preserve-unknown-fields: true direction: type: string enum: - Ingress - Egress - Both action: type: string enum: - Mirror - Redirect targetPort: type: object oneOf: - required: [ovsInternal] - required: [device] - required: [geneve] - required: [vxlan] - required: [gre] - required: [erspan] properties: ovsInternal: type: object required: - name properties: name: type: string device: type: object required: - name properties: name: type: string geneve: type: object required: - remoteIP properties: remoteIP: type: string oneOf: - format: ipv4 - format: ipv6 vni: type: integer minimum: 0 maximum: 16777215 destinationPort: type: integer minimum: 1 maximum: 65535 vxlan: type: object required: - remoteIP properties: remoteIP: type: string oneOf: - format: ipv4 - format: ipv6 vni: type: integer minimum: 0 maximum: 16777215 destinationPort: type: integer minimum: 1 maximum: 65535 gre: type: object required: - remoteIP properties: remoteIP: type: string oneOf: - format: ipv4 - format: ipv6 key: type: integer minimum: 0 maximum: 4294967295 erspan: type: object required: - remoteIP - version properties: remoteIP: type: string oneOf: - format: ipv4 - format: ipv6 sessionID: type: integer minimum: 0 maximum: 1023 version: type: integer enum: - 1 - 2 index: type: integer dir: type: integer enum: - 0 - 1 hardwareID: type: integer returnPort: type: object oneOf: - required: [ovsInternal] - required: [device] - required: [geneve] - required: [vxlan] - required: [gre] properties: ovsInternal: type: object required: - name properties: name: type: string device: type: object required: - name properties: name: type: string geneve: type: object required: - remoteIP properties: remoteIP: type: string oneOf: - format: ipv4 - format: ipv6 vni: type: integer minimum: 0 maximum: 16777215 destinationPort: type: integer minimum: 1 maximum: 65535 vxlan: type: object required: - remoteIP properties: remoteIP: type: string oneOf: - format: ipv4 - format: ipv6 vni: type: integer minimum: 0 maximum: 16777215 destinationPort: type: integer minimum: 1 maximum: 65535 gre: type: object required: - remoteIP properties: remoteIP: type: string oneOf: - format: ipv4 - format: ipv6 key: type: integer minimum: 0 maximum: 4294967295 additionalPrinterColumns: - description: Specifies the direction of traffic that should be matched. jsonPath: .spec.direction name: Direction type: string - description: Specifies the action that should be taken for the traffic. jsonPath: .spec.action name: Action type: string - jsonPath: .metadata.creationTimestamp name: Age type: date subresources: status: {} scope: Cluster names: plural: trafficcontrols singular: trafficcontrol kind: TrafficControl shortNames: - tc --- # Source: antrea/templates/agent/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: antrea-agent namespace: kube-system labels: app: antrea --- # Source: antrea/templates/antctl/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: antctl namespace: kube-system labels: app: antrea --- # Source: antrea/templates/controller/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: antrea-controller namespace: kube-system labels: app: antrea --- # Source: antrea/templates/agent/secret.yaml apiVersion: v1 kind: Secret metadata: name: antrea-agent-service-account-token namespace: kube-system annotations: kubernetes.io/service-account.name: antrea-agent type: kubernetes.io/service-account-token --- # Source: antrea/templates/antctl/secret.yaml apiVersion: v1 kind: Secret metadata: name: antctl-service-account-token namespace: kube-system annotations: kubernetes.io/service-account.name: antctl type: kubernetes.io/service-account-token --- # Source: antrea/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: antrea-config namespace: kube-system labels: app: antrea data: antrea-agent.conf: | # FeatureGates is a map of feature names to bools that enable or disable experimental features. featureGates: # AllAlpha is a global toggle for alpha features. Per-feature key values override the default set by AllAlpha. # AllAlpha: false # AllBeta is a global toggle for beta features. Per-feature key values override the default set by AllBeta. # AllBeta: false # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on # Service traffic. Note that this feature gate is deprecated since this feature was # promoted to GA in v1.14. # AntreaProxy: true # Enable TopologyAwareHints in AntreaProxy. This requires AntreaProxy and EndpointSlice to be # enabled, otherwise this flag will not take effect. # TopologyAwareHints: true # Enable ServiceTrafficDistribution in AntreaProxy. This requires AntreaProxy and EndpointSlice to be # enabled, otherwise this flag will not take effect. # ServiceTrafficDistribution: true # Enable support for cleaning up stale UDP Service conntrack connections in AntreaProxy. This requires AntreaProxy to # be enabled, otherwise this flag will not take effect. # CleanupStaleUDPSvcConntrack: true # Enable Traceflow which provides packet tracing feature to diagnose network issue. # Traceflow: true # Enable PacketCapture feature which supports capturing packets to diagnose network issues. # PacketCapture: false # Enable NodePortLocal feature to make the Pods reachable externally through NodePort # NodePortLocal: true # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy # feature that supports priorities, rule actions and externalEntities in the future. # AntreaPolicy: true # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each # agent to a configured collector. # FlowExporter: false # Enable collecting and exposing NetworkPolicy statistics. # NetworkPolicyStats: true # Enable controlling SNAT IPs of Pod egress traffic. # Egress: true # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for # IPAM when configuring secondary network interfaces with Multus. # AntreaIPAM: false # Enable multicast traffic. # Multicast: true # Enable Antrea Multi-cluster features. # Multicluster: false # Enable support for provisioning secondary network interfaces for Pods (using # Pod annotations). At the moment, Antrea can create secondary network # interfaces either using SR-IOV VFs on bare-metal Nodes or veth interfaces # bridged to the underlay network, with or without VLAN tagging. # SecondaryNetwork: false # Enable managing external IPs of Services of LoadBalancer type. # ServiceExternalIP: false # Enable mirroring or redirecting the traffic Pods send or receive. # TrafficControl: false # Enable certificate-based authentication for IPSec tunnel. # IPsecCertAuth: false # Enable collecting support bundle files with SupportBundleCollection CRD. # SupportBundleCollection: false # Enable users to protect their applications by specifying how they are allowed to communicate with others, taking # into account application context. # L7NetworkPolicy: false # Allow users to specify the load balancer mode as DSR (Direct Server Return). # LoadBalancerModeDSR: false # Enable Egress traffic shaping. # EgressTrafficShaping: false # Allow users to allocate Egress IPs from a different subnet from the default Node subnet. # EgressSeparateSubnet: false # Allow users to apply ClusterNetworkPolicy to Kubernetes Nodes. # NodeNetworkPolicy: false # Enable L7FlowExporter on Pods and Namespaces to export the application layer flows such as HTTP flows. # L7FlowExporter: false # Enable NodeLatencyMonitor to monitor the latency between Nodes. # NodeLatencyMonitor: false # Allow users to initiate BGP process on selected Kubernetes Nodes and advertise Service IPs, Pod IPs and Egress IPs to # remote BGP peers. # BGPPolicy: false # Name of the OpenVSwitch bridge antrea-agent will create and use. # Make sure it doesn't conflict with your existing OpenVSwitch bridges. ovsBridge: "br-int" # Datapath type to use for the OpenVSwitch bridge created by Antrea. At the moment, the only # supported value is 'system', which corresponds to the kernel datapath. #ovsDatapathType: system # Name of the interface antrea-agent will create and use for host <--> pod communication. # Make sure it doesn't conflict with your existing interfaces. hostGateway: "antrea-gw0" # Determines how traffic is encapsulated. It has the following options: # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network # traffic is SNAT'd. # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is # SNAT'd if noSNAT is not set to true. Underlying network must be capable of # supporting Pod traffic across IP subnets. # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod # IPAM and connectivity to the primary CNI. # trafficEncapMode: "encap" # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never # performs SNAT and this option will be ignored; for other modes it must be set to false. noSNAT: false # Fully randomize source port mapping in SNAT rules used for egress traffic from Pods to the # external network. snatFullyRandomPorts: false # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, # this option will not take effect. Supported values: # - geneve (default) # - vxlan # - gre # - stt # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). tunnelType: "geneve" # TunnelPort is the destination port for UDP and TCP based tunnel protocols (Geneve, VXLAN, and STT). # If zero, it will use the assigned IANA port for the protocol, i.e. 6081 for Geneve, 4789 for VXLAN, # and 7471 for STT. tunnelPort: 0 # TunnelCsum determines whether to compute UDP encapsulation header (Geneve or VXLAN) checksums on outgoing # packets. For Linux kernel before Mar 2021, UDP checksum must be present to trigger GRO on the receiver for better # performance of Geneve and VXLAN tunnels. The issue has been fixed by # https://github.com/torvalds/linux/commit/89e5c58fc1e2857ccdaae506fb8bc5fed57ee063, thus computing UDP checksum is # no longer necessary. # It should only be set to true when you are using an unpatched Linux kernel and observing poor transfer performance. tunnelCsum: false # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. # It has the following options: # - none (default): Inter-node Pod traffic will not be encrypted. # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, # the PSK value must be passed to Antrea Agent through an environment # variable: ANTREA_IPSEC_PSK. # - wireGuard: Enable WireGuard for tunnel traffic encryption. trafficEncryptionMode: "none" # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the # underlay network. # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. enableBridgingMode: false # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. # It affects Pods running on Linux Nodes only. disableTXChecksumOffload: false # Default MTU to use for the host gateway interface and the network interface of each Pod. # If omitted, antrea-agent will discover the MTU of the Node's primary interface and # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). # If the MTU is updated, the new value will only be applied to new workloads. defaultMTU: 0 # packetInRate defines the OVS controller packet rate limits for different # features. All features will apply this rate-limit individually on packet-in # messages sent to antrea-agent. The number stands for the rate as packets per # second(pps) and the burst size will be automatically set to twice the rate. # When the rate and burst size are exceeded, new packets will be dropped. packetInRate: 500 # wireGuard specifies WireGuard related configurations. wireGuard: # The port for WireGuard to receive traffic. port: 51820 egress: # exceptCIDRs is a list of CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses, e.g. # ["192.168.0.0/16", "172.16.0.0/12"]. exceptCIDRs: # The maximum number of Egress IPs that can be assigned to a Node. It's useful when the Node network restricts # the number of secondary IPs a Node can have, e.g. EKS. It must not be greater than 255. maxEgressIPsPerNode: 255 # Fully randomize source port mapping in Egress SNAT rules. This has no impact on the default SNAT # rules enforced by each Node for local Pod traffic. By default, we use the same value as for the # top-level snatFullyRandomPorts configuration, but this field can be used as an override. snatFullyRandomPorts: # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. serviceCIDR: "" # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. # No default value for this field. serviceCIDRv6: "" # The port for the antrea-agent APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-agent` container must be set to the same value. apiPort: 10350 # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. enablePrometheusMetrics: true flowExporter: # Enable FlowExporter, a feature used to export polled conntrack connections as # IPFIX flow records from each agent to a configured collector. To enable this # feature, you need to set "enable" to true, and ensure that the FlowExporter # feature gate is also enabled. enable: false # Provide the IPFIX collector address as a string with format :[][:]. # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be # wrapped with []. When the collector is running in-cluster as a Service, set # to /. For example, # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea # Flow Aggregator Service. # If PORT is empty, we default to 4739, the standard IPFIX port. # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and # "udp" protocols. "tls" is used for securing communication between flow exporter and # flow aggregator. flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls" # Provide flow poll interval as a duration string. This determines how often the # flow exporter dumps connections from the conntrack module. Flow poll interval # should be greater than or equal to 1s (one second). # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". flowPollInterval: "5s" # Provide the active flow export timeout, which is the timeout after which a flow # record is sent to the collector for active flows. Thus, for flows with a continuous # stream of packets, a flow record will be exported to the collector once the elapsed # time since the last export event is equal to the value of this timeout. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". activeFlowExportTimeout: "5s" # Provide the idle flow export timeout, which is the timeout after which a flow # record is sent to the collector for idle flows. A flow is considered idle if no # packet matching this flow has been observed since the last export event. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". idleFlowExportTimeout: "15s" nodePortLocal: # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To # enable this feature, you need to set "enable" to true. enable: false # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port # from that range will be assigned whenever a Pod's container defines a specific port to be exposed # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic # directed to that port will be forwarded to the Pod. portRange: "61000-62000" # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or # InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy). # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. kubeAPIServerOverride: "" # Provide the address of DNS server, to override the kube-dns Service. It's used to resolve # hostnames in a FQDN policy. # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, # 10.96.0.10:53, [fd00:10:96::a]:53). dnsServerOverride: "" # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. tlsCipherSuites: "" # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. tlsMinVersion: "" # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. # If there are multiple IP addresses configured on the interface, the first one is used. The IP # address used for tunneling or routing traffic to remote Nodes is decided in the following order of # preference (from highest to lowest): # 1. transportInterface # 2. transportInterfaceCIDRs # 3. The Node IP transportInterface: "" multicast: # To enable Multicast, you need to set "enable" to true, and ensure that the # Multicast feature gate is also enabled (which is the default). enable: false # The names of the interfaces on Nodes that are used to forward multicast traffic. # Defaults to transport interface if not set. multicastInterfaces: # The versions of IGMP queries antrea-agent sends to Pods. # Valid versions are 1, 2 and 3. igmpQueryVersions: - 1 - 2 - 3 # The interval at which the antrea-agent sends IGMP queries to Pods. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". igmpQueryInterval: "125s" # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of # preference (from highest to lowest): # 1. transportInterface # 2. transportInterfaceCIDRs # 3. The Node IP transportInterfaceCIDRs: # Option antreaProxy contains AntreaProxy related configuration options. antreaProxy: # To disable AntreaProxy, set this to false. enable: true # proxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, # regardless of where they come from. Therefore, running kube-proxy is no longer required. # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access # apiserver directly. proxyAll: false # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. # Note that the option is only valid when proxyAll is true. nodePortAddresses: # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name # with Namespace (e.g. kube-system/kube-dns) skipServices: # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when proxyAll is set to true and # kube-proxy is removed from the cluster, otherwise kube-proxy will still load-balance this traffic. proxyLoadBalancerIPs: true # The value of the "service.kubernetes.io/service-proxy-name" label for AntreaProxy to match. If it is set, # then AntreaProxy will only handle Services with the label that equals the provided value. If it is not set, # then AntreaProxy will only handle Services without the "service.kubernetes.io/service-proxy-name" label, # but ignore Services with the label no matter what is the value. serviceProxyName: "" # Determines how external traffic is processed when it's load balanced across Nodes by default. # It has the following options: # - nat (default): External traffic is SNAT'd when it's load balanced across Nodes to ensure symmetric path. # - dsr: External traffic is never SNAT'd. Backend Pods running on Nodes that are not the ingress Node # can reply to clients directly, bypassing the ingress Node. # A Service's load balancer mode can be overridden by annotating it with `service.antrea.io/load-balancer-mode`. defaultLoadBalancerMode: "nat" # IPsec tunnel related configurations. ipsec: # The authentication mode of IPsec tunnel. It has the following options: # - psk (default): Use pre-shared key (PSK) for IKE authentication. # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` # feature gate to be enabled. authenticationMode: "psk" multicluster: # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. # This feature is supported only with encap mode. enableGateway: false # The Namespace where Antrea Multi-cluster Controller is running. # The default is antrea-agent's Namespace. namespace: "" # Enable Multi-cluster NetworkPolicy (ingress rules). # Multi-cluster Gateway must be enabled to enable StretchedNetworkPolicy. enableStretchedNetworkPolicy: false # Enable Pod to Pod connectivity. enablePodToPodConnectivity: false # Determines how cross-cluster traffic is encrypted. # It has the following options: # - none (default): Cross-cluster traffic will not be encrypted. # - wireGuard: Use WireGuard to encrypt traffic. trafficEncryptionMode: "none" # WireGuard tunnel configuration for cross-cluster traffic. # It only works when multicluster.trafficEncryptionMode is wireGuard. wireGuard: # WireGuard tunnel port for cross-cluster traffic. port: 51821 # Log rotation configuration for audit logs. auditLogging: # MaxSize is the maximum size in MB of a log file before it gets rotated. maxSize: 500 # MaxBackups is the maximum number of old log files to retain. If set to 0, # all log files will be retained (unless MaxAge causes them to be deleted). maxBackups: 3 # MaxAge is the maximum number of days to retain old log files based on the # timestamp encoded in their filename. If set to 0, old log files are not # removed based on age. maxAge: 28 # Compress enables gzip compression on rotated files. compress: true # SecondaryNetwork related configurations. secondaryNetwork: # Configuration of OVS bridges for secondary network. At the moment, at # most one OVS bridge can be specified. If the specified bridge does not exist # on the Node, antrea-agent will create it based on the configuration. # The following configuration specifies an OVS bridge with name "br1" and a # physical interface "eth1": # [{bridgeName: "br1", physicalInterfaces: ["eth1"]}] ovsBridges: antrea-cni.conflist: | { "cniVersion":"0.3.0", "name": "antrea", "plugins": [ { "type": "antrea", "ipam": { "type": "host-local" } } , { "type": "portmap", "capabilities": {"portMappings": true} } , { "type": "bandwidth", "capabilities": {"bandwidth": true} } ] } antrea-controller.conf: | # FeatureGates is a map of feature names to bools that enable or disable experimental features. featureGates: # AllAlpha is a global toggle for alpha features. Per-feature key values override the default set by AllAlpha. # AllAlpha: false # AllBeta is a global toggle for beta features. Per-feature key values override the default set by AllBeta. # AllBeta: false # Enable traceflow which provides packet tracing feature to diagnose network issue. # Traceflow: true # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy # feature that supports priorities, ExternalEntities, FQDN rules and more. # AntreaPolicy: true # Enable collecting and exposing NetworkPolicy statistics. # NetworkPolicyStats: true # Enable multicast traffic. # Multicast: true # Enable controlling SNAT IPs of Pod egress traffic. # Egress: true # Run Kubernetes NodeIPAMController with Antrea. # NodeIPAM: true # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for # IPAM when configuring secondary network interfaces with Multus. # AntreaIPAM: false # Enable managing external IPs of Services of LoadBalancer type. # ServiceExternalIP: false # Enable certificate-based authentication for IPSec tunnel. # IPsecCertAuth: false # Enable managing ExternalNode for unmanaged VM/BM. # ExternalNode: false # Enable collecting support bundle files with SupportBundleCollection CRD. # SupportBundleCollection: false # Enable Antrea Multi-cluster features. # Multicluster: false # Enable users to protect their applications by specifying how they are allowed to communicate with others, taking # into account application context. # L7NetworkPolicy: false # Enable the use of Network Policy APIs (https://network-policy-api.sigs.k8s.io/api-overview) which helps administrators # set security postures for their clusters. # AdminNetworkPolicy: false # The port for the antrea-controller APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-controller` container must be set to the same value. apiPort: 10349 # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. enablePrometheusMetrics: true # Indicates whether to use auto-generated self-signed TLS certificate. # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: # ca.crt: # tls.crt: # tls.key: selfSignedCert: true # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. tlsCipherSuites: "" # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. tlsMinVersion: "" # File path of the certificate bundle for all the signers that is recognized for incoming client # certificates. clientCAFile: "" # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. # It is typically used when kube-proxy is not deployed (replaced by AntreaProxy) and kube-controller-manager # does not run NodeIPAMController (replaced by Antrea NodeIPAM). # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. kubeAPIServerOverride: "" nodeIPAM: # Enable the integrated Node IPAM controller within the Antrea controller. enableNodeIPAM: false # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. # Value ignored when enableNodeIPAM is false. clusterCIDRs: # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. # Value ignored when enableNodeIPAM is false. serviceCIDR: "" serviceCIDRv6: "" # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. nodeCIDRMaskSizeIPv4: 24 # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. nodeCIDRMaskSizeIPv6: 64 ipsecCSRSigner: # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, # the Pod identity will also be validated to provide maximum security. # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved # manually by `kubectl certificate approve`. autoApprove: true # Indicates whether to use auto-generated self-signed CA certificate. # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: # tls.crt: # tls.key: selfSignedCA: true multicluster: # Enable Multi-cluster NetworkPolicy. enableStretchedNetworkPolicy: false --- # Source: antrea/templates/agent/clusterrole.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: antrea-agent labels: app: antrea rules: - apiGroups: - stats.antrea.io resources: - nodelatencystats verbs: - create - apiGroups: - "" resources: - nodes verbs: - get - watch - list - apiGroups: - "" resources: - nodes/status verbs: - patch - apiGroups: - "" resources: - pods verbs: - get - watch - list - apiGroups: - "" resources: - pods/status verbs: - patch - apiGroups: - "" resources: - endpoints - services - namespaces verbs: - get - watch - list - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - get - watch - list - apiGroups: - crd.antrea.io resources: - antreaagentinfos verbs: - get - update - apiGroups: - controlplane.antrea.io resources: - networkpolicies - appliedtogroups - addressgroups verbs: - get - watch - list - apiGroups: - controlplane.antrea.io resources: - egressgroups verbs: - get - watch - list - apiGroups: - controlplane.antrea.io resources: - nodestatssummaries verbs: - create - apiGroups: - controlplane.antrea.io resources: - networkpolicies/status verbs: - create - get - apiGroups: - controlplane.antrea.io resources: - supportbundlecollections verbs: - get - watch - list - apiGroups: - controlplane.antrea.io resources: - supportbundlecollections/status verbs: - create - apiGroups: - authentication.k8s.io resources: - tokenreviews verbs: - create - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create # This is the content of built-in role kube-system/extension-apiserver-authentication-reader. # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will # have permission issue after bumping up apiserver library to a version that supports dynamic authentication. # See https://github.com/kubernetes/kubernetes/pull/85375 # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on # the extension-apiserver-authentication role. - apiGroups: - "" resourceNames: - extension-apiserver-authentication resources: - configmaps verbs: - get - list - watch - apiGroups: - "" resources: - configmaps resourceNames: - antrea-ca verbs: - get - watch - list - apiGroups: - crd.antrea.io resources: - traceflows - traceflows/status verbs: - get - watch - list - update - patch - create - delete - apiGroups: - crd.antrea.io resources: - packetcaptures verbs: - get - watch - list - apiGroups: - crd.antrea.io resources: - packetcaptures/status verbs: - update - apiGroups: - crd.antrea.io resources: - egresses verbs: - get - watch - list - apiGroups: - crd.antrea.io resources: - egresses/status verbs: - update - apiGroups: - crd.antrea.io resources: - bgppolicies - externalippools - ippools - trafficcontrols - nodelatencymonitors verbs: - get - watch - list - apiGroups: - crd.antrea.io resources: - ippools/status verbs: - update - apiGroups: - k8s.cni.cncf.io resources: - network-attachment-definitions verbs: - get - list - watch - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests verbs: - get - watch - list - create - apiGroups: - multicluster.crd.antrea.io resources: - gateways verbs: - get - list - watch - patch - apiGroups: - multicluster.crd.antrea.io resources: - clusterinfoimports - labelidentities verbs: - get - list - watch - apiGroups: - "" resources: - events verbs: - create - patch - update - apiGroups: - "" resources: - secrets resourceNames: - antrea-bgp-passwords - antrea-packetcapture-fileserver-auth verbs: - get - list - watch --- # Source: antrea/templates/antctl/clusterrole.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: antctl labels: app: antrea rules: - apiGroups: - controlplane.antrea.io resources: - networkpolicies - appliedtogroups - addressgroups verbs: - get - list - apiGroups: - controlplane.antrea.io resources: - networkpolicyevaluation verbs: - create - apiGroups: - stats.antrea.io resources: - networkpolicystats - antreaclusternetworkpolicystats - antreanetworkpolicystats verbs: - get - list - apiGroups: - system.antrea.io resources: - controllerinfos verbs: - get - apiGroups: - system.antrea.io resources: - supportbundles verbs: - create - get - apiGroups: - system.antrea.io resources: - supportbundles/download verbs: - get - nonResourceURLs: - /agentinfo - /addressgroups - /appliedtogroups - /loglevel - /networkpolicies - /ovsflows - /ovstracing - /podinterfaces - /featuregates - /serviceexternalip - /metrics - /debug/pprof - /debug/pprof/* verbs: - get - apiGroups: - crd.antrea.io resources: - antreacontrollerinfos - antreaagentinfos verbs: - get - list - apiGroups: - "" resources: - pods verbs: - list - apiGroups: - "" resources: - nodes verbs: - get - list - apiGroups: - apps resources: - daemonsets - deployments - replicasets verbs: - list - apiGroups: - "" resources: - configmaps resourceNames: - antrea-config - antrea-ca - antrea-ipsec-ca - antrea-cluster-identity verbs: - get --- # Source: antrea/templates/cluster-identity-reader/clusterrolebinding.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: antrea-cluster-identity-reader labels: app: antrea rules: - apiGroups: - "" resources: - configmaps resourceNames: - antrea-cluster-identity verbs: - get --- # Source: antrea/templates/controller/clusterrole.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: antrea-controller labels: app: antrea rules: - apiGroups: - "" resources: - pods - services - namespaces - configmaps verbs: - get - watch - list - apiGroups: - "" resources: - nodes verbs: - get - watch - list - patch - apiGroups: - "" resources: - services/status verbs: - update - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - watch - list - apiGroups: - authentication.k8s.io resources: - tokenreviews verbs: - create - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - update # This is the content of built-in role kube-system/extension-apiserver-authentication-reader. # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-controller) will # have permission issue after bumping up apiserver library to a version that supports dynamic authentication. # See https://github.com/kubernetes/kubernetes/pull/85375 # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on # the extension-apiserver-authentication role. - apiGroups: - "" resourceNames: - extension-apiserver-authentication resources: - configmaps verbs: - get - list - watch - apiGroups: - "" resources: - configmaps resourceNames: - antrea-ca - antrea-ipsec-ca - antrea-cluster-identity verbs: - get - update - apiGroups: - "" resources: - secrets resourceNames: - antrea-controller-tls - antrea-ipsec-ca verbs: - get - update - watch - list - apiGroups: - "" resources: - configmaps - secrets verbs: - create - apiGroups: - apiregistration.k8s.io resources: - apiservices verbs: - list - update - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - list - update - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests verbs: - get - list - watch - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests/approval - certificatesigningrequests/status verbs: - update - apiGroups: - certificates.k8s.io resources: - signers resourceNames: - antrea.io/antrea-agent-ipsec-tunnel verbs: - approve - sign - apiGroups: - crd.antrea.io resources: - antreacontrollerinfos verbs: - get - create - update - delete - apiGroups: - crd.antrea.io resources: - antreaagentinfos verbs: - list - create - delete - apiGroups: - crd.antrea.io resources: - clusternetworkpolicies - networkpolicies verbs: - get - watch - list - update - patch - create - delete - apiGroups: - crd.antrea.io resources: - clusternetworkpolicies/status - networkpolicies/status verbs: - update - apiGroups: - crd.antrea.io resources: - tiers verbs: - get - watch - list - update - patch - create - delete - apiGroups: - crd.antrea.io resources: - traceflows - traceflows/status verbs: - get - watch - list - update - patch - create - delete - apiGroups: - crd.antrea.io resources: - externalentities - clustergroups - groups verbs: - get - watch - list - update - patch - create - delete - apiGroups: - crd.antrea.io resources: - clustergroups/status - groups/status - egresses/status verbs: - update - apiGroups: - crd.antrea.io resources: - egresses verbs: - get - watch - list - update - patch - apiGroups: - crd.antrea.io resources: - externalippools - ippools verbs: - get - watch - list - apiGroups: - crd.antrea.io resources: - externalippools/status - ippools/status verbs: - update - patch - apiGroups: - crd.antrea.io resources: - externalnodes verbs: - get - watch - list - apiGroups: - apps resources: - statefulsets verbs: - get - list - watch - apiGroups: - crd.antrea.io resources: - supportbundlecollections verbs: - get - watch - list - apiGroups: - crd.antrea.io resources: - supportbundlecollections/status verbs: - update - apiGroups: - multicluster.crd.antrea.io resources: - labelidentities verbs: - get - list - watch - apiGroups: - policy.networking.k8s.io resources: - adminnetworkpolicies - baselineadminnetworkpolicies verbs: - get - list - watch --- # Source: antrea/templates/crds-rbac/clusterroles.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aggregate-antrea-policies-edit labels: app: antrea # Add these permissions to the "admin" and "edit" default roles. rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rules: - apiGroups: ["crd.antrea.io"] resources: ["clusternetworkpolicies", "networkpolicies"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] --- # Source: antrea/templates/crds-rbac/clusterroles.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: aggregate-antrea-policies-view labels: app: antrea # Add these permissions to the "view" default role. rbac.authorization.k8s.io/aggregate-to-view: "true" rules: - apiGroups: ["crd.antrea.io"] resources: ["clusternetworkpolicies", "networkpolicies"] verbs: ["get", "list", "watch"] --- # Source: antrea/templates/crds-rbac/clusterroles.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aggregate-traceflows-edit labels: app: antrea # Add these permissions to the "admin" and "edit" default roles. rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rules: - apiGroups: ["crd.antrea.io"] resources: ["traceflows"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] --- # Source: antrea/templates/crds-rbac/clusterroles.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: aggregate-traceflows-view labels: app: antrea # Add these permissions to the "view" default role. rbac.authorization.k8s.io/aggregate-to-view: "true" rules: - apiGroups: ["crd.antrea.io"] resources: ["traceflows"] verbs: ["get", "list", "watch"] --- # Source: antrea/templates/crds-rbac/clusterroles.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aggregate-antrea-clustergroups-edit labels: app: antrea # Add these permissions to the "admin" and "edit" default roles. rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rules: - apiGroups: ["crd.antrea.io"] resources: ["clustergroups"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] --- # Source: antrea/templates/crds-rbac/clusterroles.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: aggregate-antrea-clustergroups-view labels: app: antrea # Add these permissions to the "view" default role. rbac.authorization.k8s.io/aggregate-to-view: "true" rules: - apiGroups: ["crd.antrea.io"] resources: ["clustergroups"] verbs: ["get", "list", "watch"] --- # Source: antrea/templates/agent/clusterrolebinding.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: antrea-agent labels: app: antrea roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: antrea-agent subjects: - kind: ServiceAccount name: antrea-agent namespace: kube-system --- # Source: antrea/templates/antctl/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app: antrea name: antctl roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: antctl subjects: - kind: ServiceAccount name: antctl namespace: kube-system --- # Source: antrea/templates/controller/clusterrolebinding.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: antrea-controller labels: app: antrea roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: antrea-controller subjects: - kind: ServiceAccount name: antrea-controller namespace: kube-system --- # Source: antrea/templates/controller/service.yaml apiVersion: v1 kind: Service metadata: name: antrea namespace: kube-system labels: app: antrea spec: ports: - port: 443 protocol: TCP targetPort: api selector: app: antrea component: antrea-controller --- # Source: antrea/templates/agent/daemonset.yaml apiVersion: apps/v1 kind: DaemonSet metadata: name: antrea-agent namespace: kube-system labels: app: antrea component: antrea-agent spec: selector: matchLabels: app: antrea component: antrea-agent updateStrategy: type: RollingUpdate template: metadata: annotations: # Starting with v1.21, Kubernetes supports default container annotation. # Using "kubectl logs/exec/attach/cp" doesn't have to specify "-c antrea-agent" when troubleshooting. kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments checksum/config: 59fb1ea496577015058d4e99e4f64136aa68d5340db13c00ced565da750a22fc labels: app: antrea component: antrea-agent spec: hostNetwork: true priorityClassName: system-node-critical nodeSelector: kubernetes.io/os: linux tolerations: - key: CriticalAddonsOnly operator: Exists - effect: NoSchedule operator: Exists - effect: NoExecute operator: Exists serviceAccountName: antrea-agent initContainers: - name: install-cni image: "antrea/antrea-agent-ubuntu:latest" imagePullPolicy: IfNotPresent resources: requests: cpu: 100m command: ["install_cni"] securityContext: capabilities: add: - SYS_MODULE env: # SKIP_CNI_BINARIES takes in values as a comma separated list of # binaries that need to be skipped for installation, e.g. "portmap, bandwidth". - name: SKIP_CNI_BINARIES value: "" volumeMounts: - name: antrea-config mountPath: /etc/antrea/antrea-cni.conflist subPath: antrea-cni.conflist readOnly: true - name: host-cni-conf mountPath: /host/etc/cni/net.d - name: host-cni-bin mountPath: /host/opt/cni/bin # For loading the OVS kernel module. - name: host-lib-modules mountPath: /lib/modules readOnly: true # For changing the default permissions of the run directory. - name: host-var-run-antrea mountPath: /var/run/antrea containers: - name: antrea-agent image: "antrea/antrea-agent-ubuntu:latest" imagePullPolicy: IfNotPresent command: ["antrea-agent"] # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).- args: - "--config=/etc/antrea/antrea-agent.conf" - "--logtostderr=false" - "--log_dir=/var/log/antrea" - "--alsologtostderr" - "--log_file_max_size=100" - "--log_file_max_num=4" env: # Provide pod and node information for clusterinformation CRD. - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName resources: requests: cpu: 200m ports: - containerPort: 10350 name: api protocol: TCP livenessProbe: httpGet: host: localhost path: /livez port: api scheme: HTTPS initialDelaySeconds: 10 timeoutSeconds: 5 periodSeconds: 10 failureThreshold: 5 readinessProbe: httpGet: host: localhost path: /readyz port: api scheme: HTTPS initialDelaySeconds: 5 timeoutSeconds: 5 periodSeconds: 10 # In large-scale clusters, it may take up to 40~50 seconds for the antrea-agent to reconnect to the antrea # Service after the antrea-controller restarts. The antrea-agent shouldn't be reported as NotReady in this # scenario, otherwise the DaemonSet controller would restart all agents at once, as opposed to performing a # rolling update. Set failureThreshold to 8 so it can tolerate 70s of disconnection. failureThreshold: 8 securityContext: privileged: true volumeMounts: - name: antrea-config mountPath: /etc/antrea/antrea-agent.conf subPath: antrea-agent.conf readOnly: true - name: host-var-run-antrea mountPath: /var/run/antrea - name: host-var-run-antrea mountPath: /var/run/openvswitch subPath: openvswitch # host-local IPAM stores allocated IP addresses as files in /var/lib/cni/networks/$NETWORK_NAME. # Mount a sub-directory of host-var-run-antrea to it for persistence of IP allocation. - name: host-var-run-antrea mountPath: /var/lib/cni subPath: cni # We need to mount both the /proc directory and the /var/run/netns directory so that # antrea-agent can open the network namespace path when setting up Pod # networking. Different container runtimes may use /proc or /var/run/netns when invoking # the CNI commands. Docker uses /proc and containerd uses /var/run/netns. - name: host-var-log-antrea mountPath: /var/log/antrea - name: host-proc mountPath: /host/proc readOnly: true - name: host-var-run-netns mountPath: /host/var/run/netns readOnly: true # When a container is created, a mount point for the network namespace is added under # /var/run/netns on the host, which needs to be propagated to the antrea-agent container. mountPropagation: HostToContainer - name: xtables-lock mountPath: /run/xtables.lock - name: antrea-ovs image: "antrea/antrea-agent-ubuntu:latest" imagePullPolicy: IfNotPresent resources: requests: cpu: 200m command: ["start_ovs"] args: - "--log_file_max_size=100" - "--log_file_max_num=4" securityContext: capabilities: add: - SYS_NICE - NET_ADMIN - SYS_ADMIN - IPC_LOCK livenessProbe: exec: # docker CRI doesn't honor timeoutSeconds, add "timeout" to the command as a workaround. # https://github.com/kubernetes/kubernetes/issues/51901 command: - /bin/sh - -c - timeout 10 container_liveness_probe ovs initialDelaySeconds: 5 timeoutSeconds: 10 periodSeconds: 10 failureThreshold: 5 volumeMounts: - name: host-var-run-antrea mountPath: /var/run/openvswitch subPath: openvswitch - name: host-var-log-antrea mountPath: /var/log/openvswitch subPath: openvswitch volumes: - name: antrea-config configMap: name: antrea-config - name: host-cni-conf hostPath: path: /etc/cni/net.d - name: host-cni-bin hostPath: path: /opt/cni/bin - name: host-proc hostPath: path: /proc - name: host-var-run-netns hostPath: path: /var/run/netns - name: host-var-run-antrea hostPath: path: /var/run/antrea # we use subPath to create run subdirectories for different component (e.g. OVS) and # subPath requires the base volume to exist type: DirectoryOrCreate - name: host-var-log-antrea hostPath: path: /var/log/antrea # we use subPath to create logging subdirectories for different component (e.g. OVS) type: DirectoryOrCreate - name: host-lib-modules hostPath: path: /lib/modules - name: xtables-lock hostPath: path: /run/xtables.lock type: FileOrCreate --- # Source: antrea/templates/controller/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: antrea-controller namespace: kube-system labels: app: antrea component: antrea-controller spec: strategy: # Ensure the existing Pod is stopped before the new one is created. type: Recreate selector: matchLabels: app: antrea component: antrea-controller replicas: 1 template: metadata: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments checksum/config: 59fb1ea496577015058d4e99e4f64136aa68d5340db13c00ced565da750a22fc labels: app: antrea component: antrea-controller spec: nodeSelector: kubernetes.io/os: linux hostNetwork: true priorityClassName: system-cluster-critical tolerations: - key: CriticalAddonsOnly operator: Exists - effect: NoSchedule key: node-role.kubernetes.io/master - effect: NoSchedule key: node-role.kubernetes.io/control-plane - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 0 serviceAccountName: antrea-controller containers: - name: antrea-controller image: "antrea/antrea-controller-ubuntu:latest" imagePullPolicy: IfNotPresent resources: requests: cpu: 200m memory: 100Mi command: ["antrea-controller"] # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work). args: - "--config=/etc/antrea/antrea-controller.conf" - "--logtostderr=false" - "--log_dir=/var/log/antrea" - "--alsologtostderr" - "--log_file_max_size=100" - "--log_file_max_num=4" env: # Provide pod and node information for clusterinformation CRD. - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName # Provide ServiceAccount name for validation webhook. - name: SERVICEACCOUNT_NAME valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: ANTREA_CONFIG_MAP_NAME value: antrea-config ports: - containerPort: 10349 name: api protocol: TCP readinessProbe: httpGet: host: localhost path: /readyz port: api scheme: HTTPS initialDelaySeconds: 5 timeoutSeconds: 5 periodSeconds: 10 failureThreshold: 5 livenessProbe: httpGet: host: localhost path: /livez port: api scheme: HTTPS timeoutSeconds: 5 periodSeconds: 10 failureThreshold: 5 volumeMounts: - name: antrea-config mountPath: /etc/antrea/antrea-controller.conf subPath: antrea-controller.conf readOnly: true - name: antrea-controller-tls mountPath: /var/run/antrea/antrea-controller-tls - name: host-var-log-antrea mountPath: /var/log/antrea volumes: - name: antrea-config configMap: name: antrea-config # Make it optional as we only read it when selfSignedCert=false. - name: antrea-controller-tls secret: secretName: antrea-controller-tls defaultMode: 0400 optional: true - name: host-var-log-antrea hostPath: path: /var/log/antrea type: DirectoryOrCreate --- # Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: v1beta2.controlplane.antrea.io labels: app: antrea served-by: antrea-controller spec: group: controlplane.antrea.io groupPriorityMinimum: 100 version: v1beta2 versionPriority: 100 service: name: antrea namespace: kube-system --- # Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: v1beta1.system.antrea.io labels: app: antrea served-by: antrea-controller spec: group: system.antrea.io groupPriorityMinimum: 100 version: v1beta1 versionPriority: 100 service: name: antrea namespace: kube-system --- # Source: antrea/templates/controller/apiservices.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: v1alpha1.stats.antrea.io labels: app: antrea served-by: antrea-controller spec: group: stats.antrea.io groupPriorityMinimum: 100 version: v1alpha1 versionPriority: 100 service: name: antrea namespace: kube-system --- # Source: antrea/templates/webhooks/mutating/crdmutator.yaml apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: "crdmutator.antrea.io" labels: app: antrea served-by: antrea-controller webhooks: - name: "acnpmutator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/mutate/acnp" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1beta1"] resources: ["clusternetworkpolicies"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "annpmutator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/mutate/annp" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1beta1"] resources: ["networkpolicies"] scope: "Namespaced" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 --- # Source: antrea/templates/webhooks/validating/crdvalidator.yaml apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: "crdvalidator.antrea.io" labels: app: antrea served-by: antrea-controller webhooks: - name: "tiervalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/tier" rules: - operations: ["CREATE", "UPDATE", "DELETE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1beta1"] resources: ["tiers"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "acnpvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/acnp" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1beta1"] resources: ["clusternetworkpolicies"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "annpvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/annp" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1beta1"] resources: ["networkpolicies"] scope: "Namespaced" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "anpvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/anp" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["policy.networking.k8s.io"] apiVersions: ["v1alpha1"] resources: ["adminnetworkpolicies"] admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "banpvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/banp" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["policy.networking.k8s.io"] apiVersions: ["v1alpha1"] resources: ["baselineadminnetworkpolicies"] admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "clustergroupvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/clustergroup" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1beta1"] resources: ["clustergroups"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "groupvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: "kube-system" path: "/validate/group" rules: - operations: [ "CREATE", "UPDATE" ] apiGroups: [ "crd.antrea.io" ] apiVersions: [ "v1beta1" ] resources: [ "groups" ] scope: "Namespaced" admissionReviewVersions: [ "v1", "v1beta1" ] sideEffects: None timeoutSeconds: 5 - name: "externalippoolvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/externalippool" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1alpha2", "v1beta1"] resources: ["externalippools"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "egressvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/egress" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1beta1"] resources: ["egresses"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "ippoolvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/ippool" rules: - operations: ["CREATE", "UPDATE", "DELETE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1beta1"] resources: ["ippools"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "supportbundlecollectionvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/supportbundlecollection" rules: - operations: ["UPDATE", "DELETE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1alpha1"] resources: ["supportbundlecollections"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 - name: "traceflowvalidator.antrea.io" clientConfig: service: name: "antrea" namespace: kube-system path: "/validate/traceflow" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["crd.antrea.io"] apiVersions: ["v1beta1"] resources: ["traceflows"] scope: "Cluster" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5