Skip to content

Instantly share code, notes, and snippets.

@calebwashburn

calebwashburn/antrea.yml

Last active May 2, 2023 18:27
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save calebwashburn/48d7268a3fba673d6bd310dc5174a0f4 to your computer and use it in GitHub Desktop.
Save calebwashburn/48d7268a3fba673d6bd310dc5174a0f4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
antrea.yml
---
# Source: antrea/templates/agent/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: antrea-agent
namespace: kube-system
labels:
app: antrea
---
# Source: antrea/templates/antctl/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: antctl
namespace: kube-system
labels:
app: antrea
---
# Source: antrea/templates/controller/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: antrea-controller
namespace: kube-system
labels:
app: antrea
---
# Source: antrea/templates/agent/secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: antrea-agent-service-account-token
namespace: kube-system
annotations:
kubernetes.io/service-account.name: antrea-agent
type: kubernetes.io/service-account-token
---
# Source: antrea/templates/antctl/secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: antctl-service-account-token
namespace: kube-system
annotations:
kubernetes.io/service-account.name: antctl
type: kubernetes.io/service-account-token
---
# Source: antrea/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: antrea-config
namespace: kube-system
labels:
app: antrea
data:
antrea-agent.conf: |
# FeatureGates is a map of feature names to bools that enable or disable experimental features.
featureGates:
# Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent.
# It should be enabled on Windows, otherwise NetworkPolicy will not take effect on
# Service traffic.
# AntreaProxy: true
# Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice
# API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled,
# this flag will not take effect.
# EndpointSlice: false
# Enable traceflow which provides packet tracing feature to diagnose network issue.
# Traceflow: true
# Enable NodePortLocal feature to make the Pods reachable externally through NodePort
# NodePortLocal: true
# Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
# to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
# feature that supports priorities, rule actions and externalEntities in the future.
# AntreaPolicy: true
# Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each
# agent to a configured collector.
# FlowExporter: false
# Enable collecting and exposing NetworkPolicy statistics.
# NetworkPolicyStats: true
# Enable controlling SNAT IPs of Pod egress traffic.
# Egress: true
# Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the
# bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for
# IPAM when configuring secondary network interfaces with Multus.
# AntreaIPAM: false
# Enable multicast traffic. This feature is supported only with noEncap mode.
# Multicast: false
# Enable Antrea Multi-cluster Gateway to support cross-cluster traffic.
# This feature is supported only with encap mode.
# Multicluster: false
# Enable support for provisioning secondary network interfaces for Pods (using
# Pod annotations). At the moment, Antrea can only create secondary network
# interfaces using SR-IOV VFs on baremetal Nodes.
# SecondaryNetwork: false
# Enable managing external IPs of Services of LoadBalancer type.
# ServiceExternalIP: false
# Enable mirroring or redirecting the traffic Pods send or receive.
# TrafficControl: false
# Enable certificated-based authentication for IPsec.
# IPsecCertAuth: false
# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
ovsBridge: "br-int"
# Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
# - system
# - netdev
# 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
# OVS in userspace mode. Userspace mode requires the tun device driver to be available.
#ovsDatapathType: system
# Name of the interface antrea-agent will create and use for host <--> pod communication.
# Make sure it doesn't conflict with your existing interfaces.
hostGateway: "antrea-gw0"
# Determines how traffic is encapsulated. It has the following options:
# encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network
# traffic is SNAT'd.
# noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is
# SNAT'd if noSNAT is not set to true. Underlying network must be capable of
# supporting Pod traffic across IP subnets.
# hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap.
# networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod
# IPAM and connectivity to the primary CNI.
#
trafficEncapMode: "encap"
# Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network.
# This option is for the noEncap traffic mode only, and the default value is false. In the noEncap
# mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to
# the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never
# performs SNAT and this option will be ignored; for other modes it must be set to false.
noSNAT: false
# Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode,
# this option will not take effect. Supported values:
# - geneve (default)
# - vxlan
# - gre
# - stt
# Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters).
tunnelType: "geneve"
# Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode.
# It has the following options:
# - none (default): Inter-node Pod traffic will not be encrypted.
# - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses
# Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled,
# the PSK value must be passed to Antrea Agent through an environment
# variable: ANTREA_IPSEC_PSK.
# - wireGuard: Enable WireGuard for tunnel traffic encryption.
trafficEncryptionMode: "none"
# Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected
# to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are
# allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the
# underlay network.
# This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only
# IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`,
# `trafficEncapMode` is `noEncap`, and `noSNAT` is true.
enableBridgingMode: false
# Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the
# datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum.
# It affects Pods running on Linux Nodes only.
disableTXChecksumOffload: false
# Default MTU to use for the host gateway interface and the network interface of each Pod.
# If omitted, antrea-agent will discover the MTU of the Node's primary interface and
# also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
defaultMTU: 0
# wireGuard specifies WireGuard related configurations.
wireGuard:
# The port for WireGuard to receive traffic.
port: 51820
egress:
# exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses.
exceptCIDRs:
# ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
# set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
# AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
serviceCIDR: ""
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
# --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
# No default value for this field.
serviceCIDRv6: ""
# The port for the antrea-agent APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-agent` container must be set to the same value.
apiPort: 10350
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
enablePrometheusMetrics: true
# Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
# HOST can either be the DNS name or the IP of the Flow Collector. For example,
# "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect
# to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6.
# However, IPv6 address should be wrapped with [].
# If PORT is empty, we default to 4739, the standard IPFIX port.
# If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
# "udp" protocols. "tls" is used for securing communication between flow exporter and
# flow aggregator.
flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
# Provide flow poll interval as a duration string. This determines how often the
# flow exporter dumps connections from the conntrack module. Flow poll interval
# should be greater than or equal to 1s (one second).
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
flowPollInterval: "5s"
# Provide the active flow export timeout, which is the timeout after which a flow
# record is sent to the collector for active flows. Thus, for flows with a continuous
# stream of packets, a flow record will be exported to the collector once the elapsed
# time since the last export event is equal to the value of this timeout.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
activeFlowExportTimeout: "5s"
# Provide the idle flow export timeout, which is the timeout after which a flow
# record is sent to the collector for idle flows. A flow is considered idle if no
# packet matching this flow has been observed since the last export event.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
idleFlowExportTimeout: "15s"
nodePortLocal:
# Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
# enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
# gate is also enabled (which is the default).
enable: false
# Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
# from that range will be assigned whenever a Pod's container defines a specific port to be exposed
# (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic
# directed to that port will be forwarded to the Pod.
portRange: "61000-62000"
# Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
# Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
kubeAPIServerOverride: ""
# Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
# Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
# [fd00:10:96::a]:53).
dnsServerOverride: ""
# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
# https://golang.org/pkg/crypto/tls/#pkg-constants
# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
# prefer TLS1.3 Cipher Suites whenever possible.
tlsCipherSuites: ""
# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
tlsMinVersion: ""
# The name of the interface on Node which is used for tunneling or routing the traffic across Nodes.
# If there are multiple IP addresses configured on the interface, the first one is used. The IP
# address used for tunneling or routing traffic to remote Nodes is decided in the following order of
# preference (from highest to lowest):
# 1. transportInterface
# 2. transportInterfaceCIDRs
# 3. The Node IP
transportInterface: ""
multicast:
# The names of the interfaces on Nodes that are used to forward multicast traffic.
# Defaults to transport interface if not set.
multicastInterfaces:
# The interval at which the antrea-agent sends IGMP queries to Pods.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
igmpQueryInterval: "125s"
# The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across
# Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The
# IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of
# preference (from highest to lowest):
# 1. transportInterface
# 2. transportInterfaceCIDRs
# 3. The Node IP
transportInterfaceCIDRs:
# Option antreaProxy contains AntreaProxy related configuration options.
antreaProxy:
# ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic,
# regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy
# feature to be enabled.
# Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access
# apiserver directly.
proxyAll: false
# A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks.
# (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses.
# Note that the option is only valid when proxyAll is true.
nodePortAddresses:
# An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these
# Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name
# with Namespace (e.g. kube-system/kube-dns)
skipServices:
# When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the
# External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional
# capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the
# external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy.
# Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and
# kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
proxyLoadBalancerIPs: true
# IPsec tunnel related configurations.
ipsec:
# The authentication mode of IPsec tunnel. It has the following options:
# - psk (default): Use pre-shared key (PSK) for IKE authentication.
# - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth`
# feature gate to be enabled.
authenticationMode: "psk"
multicluster:
# Enable Antrea Multi-cluster Gateway to support cross-cluster traffic.
# This feature is supported only with encap mode.
enable: false
# The Namespace where Antrea Multi-cluster Controller is running.
# The default is antrea-agent's Namespace.
namespace: ""
antrea-cni.conflist: |
{
"cniVersion":"0.3.0",
"name": "antrea",
"plugins": [
{
"type": "antrea",
"ipam": {
"type": "host-local"
}
}
,
{
"type": "portmap",
"capabilities": {"portMappings": true}
}
,
{
"type": "bandwidth",
"capabilities": {"bandwidth": true}
}
]
}
antrea-controller.conf: |
featureGates:
NodeIPAM: true
apiPort: 10349
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
enablePrometheusMetrics: true
# Indicates whether to use auto-generated self-signed TLS certificate.
# If false, a Secret named "antrea-controller-tls" must be provided with the following keys:
# ca.crt: <CA certificate>
# tls.crt: <TLS certificate>
# tls.key: <TLS private key>
selfSignedCert: true
# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
# https://golang.org/pkg/crypto/tls/#pkg-constants
# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
# prefer TLS1.3 Cipher Suites whenever possible.
tlsCipherSuites: ""
# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
tlsMinVersion: ""
nodeIPAM:
# Enable the integrated Node IPAM controller within the Antrea controller.
enableNodeIPAM: true
# CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges.
# The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family.
# Value ignored when enableNodeIPAM is false.
clusterCIDRs: [172.100.0.0/16]
# CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs.
# Value ignored when enableNodeIPAM is false.
serviceCIDR: ""
serviceCIDRv6: ""
# Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false
# or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30.
nodeCIDRMaskSizeIPv4: 24
# Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
# or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
nodeCIDRMaskSizeIPv6: 64
ipsecCSRSigner:
# Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management.
# If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions
# are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled,
# the Pod identity will also be validated to provide maximum security.
# If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved
# manually by `kubectl certificate approve`.
autoApprove: true
# Indicates whether to use auto-generated self-signed CA certificate.
# If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys:
# tls.crt: <CA certificate>
# tls.key: <CA private key>
selfSignedCA: true
---
# Source: antrea/templates/crds/antreaagentinfo.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: antreaagentinfos.crd.antrea.io
labels:
app: antrea
spec:
group: crd.antrea.io
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
additionalPrinterColumns:
- description: Health status of this Agent
jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status"
name: Healthy
type: string
- description: Last time the Healthy Condition was updated
jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime"
name: Last Heartbeat
type: date
- description: Version of this Agent
jsonPath: ".version"
name: Version
type: string
priority: 1
- description: Node on which this Agent is running
jsonPath: ".nodeRef.name"
name: Node
type: string
priority: 1
- description: Number of local Pods managed by this Agent
jsonPath: ".localPodNum"
name: Num Pods
type: integer
priority: 2
- description: Subnets used by this Agent for Pod IPAM
jsonPath: ".nodeSubnets"
name: Subnets
type: string
priority: 2
scope: Cluster
names:
plural: antreaagentinfos
singular: antreaagentinfo
kind: AntreaAgentInfo
shortNames:
- aai
---
# Source: antrea/templates/crds/antreacontrollerinfo.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: antreacontrollerinfos.crd.antrea.io
labels:
app: antrea
spec:
group: crd.antrea.io
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
additionalPrinterColumns:
- description: Health status of the Controller
jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status"
name: Healthy
type: string
- description: Last time the Healthy Condition was updated
jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime"
name: Last Heartbeat
type: date
- description: Version of the Controller
jsonPath: ".version"
name: Version
type: string
priority: 1
- description: Number of Agents connected to the Controller
jsonPath: ".connectedAgentNum"
name: Connected Agents
type: integer
priority: 1
- description: Node on which the Controller is running
jsonPath: ".nodeRef.name"
name: Node
type: string
priority: 1
- description: Number of Network Policies computed by Controller
jsonPath: ".networkPolicyControllerInfo.networkPolicyNum"
name: Num Network Policies
type: integer
priority: 2
scope: Cluster
names:
plural: antreacontrollerinfos
singular: antreacontrollerinfo
kind: AntreaControllerInfo
shortNames:
- aci
---
# Source: antrea/templates/crds/clustergroup.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clustergroups.crd.antrea.io
labels:
app: antrea
spec:
group: crd.antrea.io
versions:
- name: v1alpha2
served: true
storage: false
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
childGroups:
type: array
items:
type: string
podSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaceSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
externalEntitySelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
ipBlock:
type: object
properties:
cidr:
type: string
format: cidr
ipBlocks:
type: array
items:
type: object
properties:
cidr:
type: string
format: cidr
serviceReference:
type: object
properties:
name:
type: string
namespace:
type: string
status:
type: object
properties:
conditions:
type: array
items:
type: object
properties:
type:
type: string
status:
type: string
lastTransitionTime:
type: string
- name: v1alpha3
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
childGroups:
type: array
items:
type: string
podSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaceSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
externalEntitySelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
ipBlocks:
type: array
items:
type: object
properties:
cidr:
type: string
format: cidr
serviceReference:
type: object
properties:
name:
type: string
namespace:
type: string
status:
type: object
properties:
conditions:
type: array
items:
type: object
properties:
type:
type: string
status:
type: string
lastTransitionTime:
type: string
subresources:
status: {}
conversion:
strategy: Webhook
webhook:
conversionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: "antrea"
namespace: "kube-system"
path: "/convert/clustergroup"
scope: Cluster
names:
plural: clustergroups
singular: clustergroup
kind: ClusterGroup
shortNames:
- cg
---
# Source: antrea/templates/crds/clusternetworkpolicy.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusternetworkpolicies.crd.antrea.io
labels:
app: antrea
spec:
group: crd.antrea.io
versions:
- name: v1alpha1
served: true
storage: true
additionalPrinterColumns:
- name: Tier
type: string
description: The Tier to which this ClusterNetworkPolicy belongs to.
jsonPath: .spec.tier
- name: Priority
type: number
format: float
description: The Priority of this ClusterNetworkPolicy relative to other policies.
jsonPath: .spec.priority
- name: Desired Nodes
type: number
format: int32
description: The total number of Nodes that should realize the NetworkPolicy.
jsonPath: .status.desiredNodesRealized
- name: Current Nodes
type: number
format: int32
description: The number of Nodes that have realized the NetworkPolicy.
jsonPath: .status.currentNodesRealized
- name: Age
type: date
jsonPath: .metadata.creationTimestamp
schema:
openAPIV3Schema:
type: object
properties:
spec:
# Ensure that Spec.Priority field is set
required:
- priority
type: object
properties:
tier:
type: string
priority:
type: number
format: float
# Ensure that Spec.Priority field is between 1 and 10000
minimum: 1.0
maximum: 10000.0
appliedTo:
type: array
items:
type: object
# Ensure that Spec.AppliedTo does not allow IPBlock field
properties:
podSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaceSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
group:
type: string
serviceAccount:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
ingress:
type: array
items:
type: object
required:
- action
properties:
appliedTo:
type: array
items:
type: object
# Ensure that rule AppliedTo does not allow IPBlock field
properties:
podSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaceSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
group:
type: string
serviceAccount:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
enum: ['Allow', 'Drop', 'Reject', 'Pass']
ports:
type: array
items:
type: object
properties:
protocol:
type: string
enum: ['TCP', 'UDP', 'SCTP']
port:
x-kubernetes-int-or-string: true
endPort:
type: integer
protocols:
type: array
items:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
properties:
icmpType:
type: integer
minimum: 0
maximum: 255
icmpCode:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP query (0x11) is valid igmpType in ingress rules.
enum: [ 0x11 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
from:
type: array
items:
type: object
properties:
podSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaceSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaces:
type: object
properties:
match:
enum:
- Self
type: string
ipBlock:
type: object
properties:
cidr:
type: string
format: cidr
group:
type: string
serviceAccount:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
nodeSelector:
type: object
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
name:
type: string
enableLogging:
type: boolean
egress:
type: array
items:
type: object
required:
- action
properties:
appliedTo:
type: array
items:
type: object
# Ensure that rule AppliedTo does not allow IPBlock field
properties:
podSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaceSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
group:
type: string
serviceAccount:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
enum: ['Allow', 'Drop', 'Reject', 'Pass']
ports:
type: array
items:
type: object
properties:
protocol:
type: string
enum: ['TCP', 'UDP', 'SCTP']
port:
x-kubernetes-int-or-string: true
endPort:
type: integer
protocols:
type: array
items:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
properties:
icmpType:
type: integer
minimum: 0
maximum: 255
icmpCode:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP reports are igmpType in egress rules,
# 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3.
# It will match all IGMP report types if igmpType is not set.
enum: [ 0x12, 0x16, 0x22 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
to:
type: array
items:
type: object
properties:
podSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaceSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaces:
type: object
properties:
match:
enum:
- Self
type: string
ipBlock:
type: object
properties:
cidr:
type: string
format: cidr
group:
type: string
fqdn:
type: string
serviceAccount:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
nodeSelector:
type: object
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
toServices:
type: array
items:
type: object
required:
- name
- namespace
properties:
name:
type: string
namespace:
type: string
name:
type: string
enableLogging:
type: boolean
status:
type: object
properties:
phase:
type: string
observedGeneration:
type: integer
currentNodesRealized:
type: integer
desiredNodesRealized:
type: integer
subresources:
status: {}
scope: Cluster
names:
plural: clusternetworkpolicies
singular: clusternetworkpolicy
kind: ClusterNetworkPolicy
shortNames:
- acnp
---
# Source: antrea/templates/crds/egress.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: egresses.crd.antrea.io
labels:
app: antrea
spec:
group: crd.antrea.io
versions:
- name: v1alpha2
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
type: object
required:
- appliedTo
anyOf:
- required:
- egressIP
- required:
- externalIPPool
properties:
appliedTo:
type: object
properties:
podSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaceSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
egressIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
externalIPPool:
type: string
status:
type: object
properties:
egressNode:
type: string
additionalPrinterColumns:
- description: Specifies the SNAT IP address for the selected workloads.
jsonPath: .spec.egressIP
name: EgressIP
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: The Owner Node of egress IP
jsonPath: .status.egressNode
name: Node
type: string
subresources:
status: {}
scope: Cluster
names:
plural: egresses
singular: egress
kind: Egress
shortNames:
- eg
---
# Source: antrea/templates/crds/externalentity.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: externalentities.crd.antrea.io
labels:
app: antrea
spec:
group: crd.antrea.io
versions:
- name: v1alpha2
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
endpoints:
type: array
items:
type: object
properties:
ip:
type: string
oneOf:
- format: ipv4
- format: ipv6
name:
type: string
ports:
type: array
items:
type: object
properties:
protocol:
type: string
enum: ['TCP', 'UDP', 'SCTP']
port:
x-kubernetes-int-or-string: true
name:
type: string
externalNode:
type: string
- name: v1alpha1
served: false
storage: false
schema:
openAPIV3Schema:
type: object
scope: Namespaced
names:
plural: externalentities
singular: externalentity
kind: ExternalEntity
shortNames:
- ee
---
# Source: antrea/templates/crds/externalippool.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: externalippools.crd.antrea.io
labels:
app: antrea
spec:
group: crd.antrea.io
versions:
- name: v1alpha2
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
type: object
required:
- ipRanges
- nodeSelector
properties:
ipRanges:
type: array
items:
type: object
oneOf:
- required:
- cidr
- required:
- start
- end
properties:
cidr:
type: string
format: cidr
start:
type: string
oneOf:
- format: ipv4
- format: ipv6
end:
type: string
oneOf:
- format: ipv4
- format: ipv6
nodeSelector:
type: object
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
status:
type: object
properties:
usage:
type: object
properties:
total:
type: integer
used:
type: integer
additionalPrinterColumns:
- description: The number of total IPs
jsonPath: .status.usage.total
name: Total
type: integer
- description: The number of allocated IPs
jsonPath: .status.usage.used
name: Used
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
subresources:
status: {}
scope: Cluster
names:
plural: externalippools
singular: externalippool
kind: ExternalIPPool
shortNames:
- eip
---
# Source: antrea/templates/crds/ippool.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: ippools.crd.antrea.io
labels:
app: antrea
spec:
group: crd.antrea.io
versions:
- name: v1alpha2
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
required:
- ipVersion
- ipRanges
type: object
properties:
ipVersion:
type: integer
ipRanges:
items:
oneOf:
- required:
- cidr
- gateway
- prefixLength
- required:
- start
- end
- gateway
- prefixLength
properties:
cidr:
format: cidr
type: string
start:
oneOf:
- format: ipv4
- format: ipv6
type: string
end:
oneOf:
- format: ipv4
- format: ipv6
type: string
gateway:
oneOf:
- format: ipv4
- format: ipv6
type: string
prefixLength:
type: integer
vlan:
type: integer
minimum: 0
maximum: 4094
type: object
type: array
status:
properties:
ipAddresses:
items:
properties:
ipAddress:
type: string
owner:
properties:
pod:
properties:
name:
type: string
namespace:
type: string
containerID:
type: string
ifName:
type: string
type: object
statefulSet:
properties:
name:
type: string
namespace:
type: string
index:
type: integer
type: object
type: object
phase:
type: string
type: object
type: array
type: object
subresources:
status: {}
scope: Cluster
names:
plural: ippools
singular: ippool
kind: IPPool
shortNames:
- ipp
---
# Source: antrea/templates/crds/networkpolicy.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: networkpolicies.crd.antrea.io
labels:
app: antrea
spec:
group: crd.antrea.io
versions:
- name: v1alpha1
served: true
storage: true
additionalPrinterColumns:
- name: Tier
type: string
description: The Tier to which this Antrea NetworkPolicy belongs to.
jsonPath: .spec.tier
- name: Priority
type: number
format: float
description: The Priority of this Antrea NetworkPolicy relative to other policies.
jsonPath: .spec.priority
- name: Desired Nodes
type: number
format: int32
description: The total number of Nodes that should realize the NetworkPolicy.
jsonPath: .status.desiredNodesRealized
- name: Current Nodes
type: number
format: int32
description: The number of Nodes that have realized the NetworkPolicy.
jsonPath: .status.currentNodesRealized
- name: Age
type: date
jsonPath: .metadata.creationTimestamp
schema:
openAPIV3Schema:
type: object
properties:
spec:
# Ensure that Spec.Priority field is set
required:
- priority
type: object
properties:
tier:
type: string
priority:
type: number
format: float
# Ensure that Spec.Priority field is between 1 and 10000
minimum: 1.0
maximum: 10000.0
appliedTo:
type: array
items:
type: object
# Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field
properties:
podSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
ingress:
type: array
items:
type: object
required:
- action
properties:
appliedTo:
type: array
items:
type: object
# Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field
properties:
podSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
enum: ['Allow', 'Drop', 'Reject', 'Pass']
ports:
type: array
items:
type: object
properties:
protocol:
type: string
enum: ['TCP', 'UDP', 'SCTP']
port:
x-kubernetes-int-or-string: true
endPort:
type: integer
protocols:
type: array
items:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
properties:
icmpType:
type: integer
minimum: 0
maximum: 255
icmpCode:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP query (0x11) is valid igmpType in ingress rules.
enum: [ 0x11 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
from:
type: array
items:
type: object
properties:
podSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaceSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
externalEntitySelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
ipBlock:
type: object
properties:
cidr:
type: string
format: cidr
nodeSelector:
type: object
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
name:
type: string
enableLogging:
type: boolean
egress:
type: array
items:
type: object
required:
- action
properties:
appliedTo:
type: array
items:
type: object
# Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field
properties:
podSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
enum: ['Allow', 'Drop', 'Reject', 'Pass']
ports:
type: array
items:
type: object
properties:
protocol:
type: string
enum: ['TCP', 'UDP', 'SCTP']
port:
x-kubernetes-int-or-string: true
endPort:
type: integer
protocols:
type: array
items:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
properties:
icmpType:
type: integer
minimum: 0
maximum: 255
icmpCode:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP reports are igmpType in egress rules,
# 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3.
# It will match all IGMP report types if igmpType is not set.
enum: [ 0x12, 0x16, 0x22 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
to:
type: array
items:
type: object
properties:
podSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaceSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
externalEntitySelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
ipBlock:
type: object
properties:
cidr:
type: string
format: cidr
fqdn:
type: string
nodeSelector:
type: object
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
toServices:
type: array
items:
type: object
required:
- name
properties:
name:
type: string
namespace:
type: string
name:
type: string
enableLogging:
type: boolean
status:
type: object
properties:
phase:
type: string
observedGeneration:
type: integer
currentNodesRealized:
type: integer
desiredNodesRealized:
type: integer
subresources:
status: {}
scope: Namespaced
names:
plural: networkpolicies
singular: networkpolicy
kind: NetworkPolicy
shortNames:
- anp
---
# Source: antrea/templates/crds/tier.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: tiers.crd.antrea.io
labels:
app: antrea
spec:
group: crd.antrea.io
versions:
- name: v1alpha1
served: true
storage: true
additionalPrinterColumns:
- name: Priority
type: integer
description: The Priority of this Tier relative to other Tiers.
jsonPath: .spec.priority
- name: Age
type: date
jsonPath: .metadata.creationTimestamp
schema:
openAPIV3Schema:
type: object
properties:
spec:
required:
- priority
type: object
properties:
priority:
type: integer
minimum: 0
maximum: 255
description:
type: string
scope: Cluster
names:
plural: tiers
singular: tier
kind: Tier
shortNames:
- tr
---
# Source: antrea/templates/crds/traceflow.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: traceflows.crd.antrea.io
labels:
app: antrea
spec:
group: crd.antrea.io
versions:
- name: v1alpha1
served: true
storage: true
additionalPrinterColumns:
- jsonPath: .status.phase
description: The phase of the Traceflow.
name: Phase
type: string
- jsonPath: .spec.source.pod
description: The name of the source Pod.
name: Source-Pod
type: string
priority: 10
- jsonPath: .spec.destination.pod
description: The name of the destination Pod.
name: Destination-Pod
type: string
priority: 10
- jsonPath: .spec.destination.ip
description: The IP address of the destination.
name: Destination-IP
type: string
priority: 10
- jsonPath: .spec.liveTraffic
description: Trace live traffic.
name: Live-Traffic
type: boolean
priority: 10
- jsonPath: .spec.droppedOnly
description: Capture only the dropped packet.
name: Dropped-Only
type: boolean
priority: 10
- jsonPath: .spec.timeout
description: Timeout in seconds.
name: Timeout
type: integer
priority: 10
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
type: object
properties:
source:
type: object
properties:
pod:
type: string
namespace:
type: string
ip:
type: string
oneOf:
- format: ipv4
- format: ipv6
destination:
type: object
properties:
pod:
type: string
service:
type: string
namespace:
type: string
ip:
type: string
oneOf:
- format: ipv4
- format: ipv6
packet:
type: object
properties:
ipHeader:
type: object
properties:
srcIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
protocol:
type: integer
ttl:
type: integer
flags:
type: integer
ipv6Header:
type: object
properties:
srcIP:
type: string
format: ipv6
nextHeader:
type: integer
hopLimit:
type: integer
transportHeader:
type: object
properties:
icmp:
type: object
properties:
id:
type: integer
sequence:
type: integer
udp:
type: object
properties:
srcPort:
type: integer
dstPort:
type: integer
tcp:
type: object
properties:
srcPort:
type: integer
dstPort:
type: integer
flags:
type: integer
liveTraffic:
type: boolean
droppedOnly:
type: boolean
timeout:
type: integer
status:
type: object
properties:
reason:
type: string
dataplaneTag:
type: integer
phase:
type: string
startTime:
type: string
results:
type: array
items:
type: object
properties:
node:
type: string
role:
type: string
timestamp:
type: integer
observations:
type: array
items:
type: object
properties:
component:
type: string
componentInfo:
type: string
action:
type: string
pod:
type: string
dstMAC:
type: string
networkPolicy:
type: string
ttl:
type: integer
translatedSrcIP:
type: string
translatedDstIP:
type: string
tunnelDstIP:
type: string
capturedPacket:
properties:
srcIP:
type: string
dstIP:
type: string
length:
type: integer
ipHeader:
properties:
flags:
type: integer
protocol:
type: integer
ttl:
type: integer
type: object
ipv6Header:
properties:
hopLimit:
type: integer
nextHeader:
type: integer
type: object
transportHeader:
properties:
tcp:
properties:
dstPort:
type: integer
srcPort:
type: integer
flags:
type: integer
type: object
udp:
properties:
dstPort:
type: integer
srcPort:
type: integer
type: object
icmp:
properties:
id:
type: integer
sequence:
type: integer
type: object
type: object
type: object
subresources:
status: {}
scope: Cluster
names:
plural: traceflows
singular: traceflow
kind: Traceflow
shortNames:
- tf
---
# Source: antrea/templates/crds/trafficcontrol.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: trafficcontrols.crd.antrea.io
spec:
group: crd.antrea.io
versions:
- name: v1alpha2
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
type: object
required:
- appliedTo
- direction
- action
- targetPort
properties:
appliedTo:
type: object
properties:
podSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaceSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
direction:
type: string
enum:
- Ingress
- Egress
- Both
action:
type: string
enum:
- Mirror
- Redirect
targetPort:
type: object
oneOf:
- required: [ovsInternal]
- required: [device]
- required: [geneve]
- required: [vxlan]
- required: [gre]
- required: [erspan]
properties:
ovsInternal:
type: object
required:
- name
properties:
name:
type: string
device:
type: object
required:
- name
properties:
name:
type: string
geneve:
type: object
required:
- remoteIP
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
vni:
type: integer
minimum: 0
maximum: 16777215
destinationPort:
type: integer
minimum: 1
maximum: 65535
vxlan:
type: object
required:
- remoteIP
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
vni:
type: integer
minimum: 0
maximum: 16777215
destinationPort:
type: integer
minimum: 1
maximum: 65535
gre:
type: object
required:
- remoteIP
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
key:
type: integer
minimum: 0
maximum: 4294967295
erspan:
type: object
required:
- remoteIP
- version
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
sessionID:
type: integer
minimum: 0
maximum: 1023
version:
type: integer
enum:
- 1
- 2
index:
type: integer
dir:
type: integer
enum:
- 0
- 1
hardwareID:
type: integer
returnPort:
type: object
oneOf:
- required: [ovsInternal]
- required: [device]
- required: [geneve]
- required: [vxlan]
- required: [gre]
properties:
ovsInternal:
type: object
required:
- name
properties:
name:
type: string
device:
type: object
required:
- name
properties:
name:
type: string
geneve:
type: object
required:
- remoteIP
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
vni:
type: integer
minimum: 0
maximum: 16777215
destinationPort:
type: integer
minimum: 1
maximum: 65535
vxlan:
type: object
required:
- remoteIP
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
vni:
type: integer
minimum: 0
maximum: 16777215
destinationPort:
type: integer
minimum: 1
maximum: 65535
gre:
type: object
required:
- remoteIP
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
key:
type: integer
minimum: 0
maximum: 4294967295
additionalPrinterColumns:
- description: Specifies the direction of traffic that should be matched.
jsonPath: .spec.direction
name: Direction
type: string
- description: Specifies the action that should be taken for the traffic.
jsonPath: .spec.action
name: Action
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
subresources:
status: {}
scope: Cluster
names:
plural: trafficcontrols
singular: trafficcontrol
kind: TrafficControl
shortNames:
- tc
---
# Source: antrea/templates/agent/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: antrea-agent
labels:
app: antrea
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- pods/status
verbs:
- patch
- apiGroups:
- ""
resources:
- endpoints
- services
- namespaces
verbs:
- get
- watch
- list
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- watch
- list
- apiGroups:
- crd.antrea.io
resources:
- antreaagentinfos
verbs:
- get
- create
- update
- delete
- apiGroups:
- controlplane.antrea.io
resources:
- networkpolicies
- appliedtogroups
- addressgroups
verbs:
- get
- watch
- list
- apiGroups:
- controlplane.antrea.io
resources:
- egressgroups
verbs:
- get
- watch
- list
- apiGroups:
- controlplane.antrea.io
resources:
- nodestatssummaries
verbs:
- create
- apiGroups:
- controlplane.antrea.io
resources:
- networkpolicies/status
verbs:
- create
- get
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
# This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
# But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will
# have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
# See https://github.com/kubernetes/kubernetes/pull/85375
# To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
# the extension-apiserver-authentication role.
- apiGroups:
- ""
resourceNames:
- extension-apiserver-authentication
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- antrea-ca
verbs:
- get
- watch
- list
- apiGroups:
- crd.antrea.io
resources:
- traceflows
- traceflows/status
verbs:
- get
- watch
- list
- update
- patch
- create
- delete
- apiGroups:
- crd.antrea.io
resources:
- egresses
verbs:
- get
- watch
- list
- apiGroups:
- crd.antrea.io
resources:
- egresses/status
verbs:
- update
- apiGroups:
- crd.antrea.io
resources:
- externalippools
- ippools
- trafficcontrols
verbs:
- get
- watch
- list
- apiGroups:
- crd.antrea.io
resources:
- ippools/status
verbs:
- update
- apiGroups:
- k8s.cni.cncf.io
resources:
- network-attachment-definitions
verbs:
- get
- list
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- get
- watch
- list
- create
- apiGroups:
- multicluster.crd.antrea.io
resources:
- gateways
verbs:
- get
- list
- watch
- apiGroups:
- multicluster.crd.antrea.io
resources:
- clusterinfoimports
verbs:
- get
- list
- watch
---
# Source: antrea/templates/antctl/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: antctl
labels:
app: antrea
rules:
- apiGroups:
- controlplane.antrea.io
resources:
- networkpolicies
- appliedtogroups
- addressgroups
verbs:
- get
- list
- apiGroups:
- stats.antrea.io
resources:
- networkpolicystats
- antreaclusternetworkpolicystats
- antreanetworkpolicystats
verbs:
- get
- list
- apiGroups:
- system.antrea.io
resources:
- controllerinfos
- agentinfos
verbs:
- get
- apiGroups:
- system.antrea.io
resources:
- supportbundles
verbs:
- get
- post
- apiGroups:
- system.antrea.io
resources:
- supportbundles/download
verbs:
- get
- nonResourceURLs:
- /agentinfo
- /addressgroups
- /appliedtogroups
- /loglevel
- /networkpolicies
- /ovsflows
- /ovstracing
- /podinterfaces
- /featuregates
- /serviceexternalip
verbs:
- get
---
# Source: antrea/templates/cluster-identity-reader/clusterrolebinding.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: antrea-cluster-identity-reader
labels:
app: antrea
rules:
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- antrea-cluster-identity
verbs:
- get
---
# Source: antrea/templates/controller/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: antrea-controller
labels:
app: antrea
rules:
- apiGroups:
- ""
resources:
- pods
- services
- namespaces
- configmaps
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- watch
- list
- patch
- apiGroups:
- ""
resources:
- services/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- watch
- list
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- update
# This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
# But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-controller) will
# have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
# See https://github.com/kubernetes/kubernetes/pull/85375
# To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
# the extension-apiserver-authentication role.
- apiGroups:
- ""
resourceNames:
- extension-apiserver-authentication
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- antrea-ca
- antrea-ipsec-ca
- antrea-cluster-identity
verbs:
- get
- update
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- antrea-ipsec-ca
verbs:
- get
- update
- watch
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- create
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
resourceNames:
- v1alpha1.stats.antrea.io
- v1beta1.system.antrea.io
- v1beta2.controlplane.antrea.io
verbs:
- get
- update
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
resourceNames:
- v1beta1.networking.antrea.tanzu.vmware.com
- v1beta1.controlplane.antrea.tanzu.vmware.com
- v1alpha1.stats.antrea.tanzu.vmware.com
- v1beta1.system.antrea.tanzu.vmware.com
- v1beta2.controlplane.antrea.tanzu.vmware.com
verbs:
- delete
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
resourceNames:
# always give permissions for labelsmutator.antrea.io, even when the
# feature is disabled, to avoid errors in antrea-controller when updating
# the CA cert.
- labelsmutator.antrea.io
- crdmutator.antrea.io
- crdvalidator.antrea.io
verbs:
- get
- update
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- get
- list
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests/approval
- certificatesigningrequests/status
verbs:
- update
- apiGroups:
- certificates.k8s.io
resources:
- signers
resourceNames:
- antrea.io/antrea-agent-ipsec-tunnel
verbs:
- approve
- sign
- apiGroups:
- crd.antrea.io
resources:
- antreacontrollerinfos
verbs:
- get
- create
- update
- delete
- apiGroups:
- crd.antrea.io
resources:
- antreaagentinfos
verbs:
- list
- delete
- apiGroups:
- crd.antrea.io
resources:
- clusternetworkpolicies
- networkpolicies
verbs:
- get
- watch
- list
- update
- patch
- create
- delete
- apiGroups:
- crd.antrea.io
resources:
- clusternetworkpolicies/status
- networkpolicies/status
verbs:
- update
- apiGroups:
- crd.antrea.io
resources:
- tiers
verbs:
- get
- watch
- list
- update
- patch
- create
- delete
- apiGroups:
- crd.antrea.io
resources:
- traceflows
- traceflows/status
verbs:
- get
- watch
- list
- update
- patch
- create
- delete
- apiGroups:
- crd.antrea.io
resources:
- externalentities
- clustergroups
verbs:
- get
- watch
- list
- update
- patch
- create
- delete
- apiGroups:
- crd.antrea.io
resources:
- clustergroups/status
verbs:
- update
- apiGroups:
- crd.antrea.io
resources:
- egresses
verbs:
- get
- watch
- list
- update
- patch
- apiGroups:
- crd.antrea.io
resources:
- externalippools
- ippools
verbs:
- get
- watch
- list
- apiGroups:
- crd.antrea.io
resources:
- externalippools/status
- ippools/status
verbs:
- update
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- get
- list
- watch
---
# Source: antrea/templates/crds-rbac/clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: aggregate-antrea-policies-edit
labels:
app: antrea
# Add these permissions to the "admin" and "edit" default roles.
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups: ["crd.antrea.io"]
resources: ["clusternetworkpolicies", "networkpolicies"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
# Source: antrea/templates/crds-rbac/clusterroles.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: aggregate-antrea-policies-view
labels:
app: antrea
# Add these permissions to the "view" default role.
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: ["crd.antrea.io"]
resources: ["clusternetworkpolicies", "networkpolicies"]
verbs: ["get", "list", "watch"]
---
# Source: antrea/templates/crds-rbac/clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: aggregate-traceflows-edit
labels:
app: antrea
# Add these permissions to the "admin" and "edit" default roles.
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups: ["crd.antrea.io"]
resources: ["traceflows"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
# Source: antrea/templates/crds-rbac/clusterroles.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: aggregate-traceflows-view
labels:
app: antrea
# Add these permissions to the "view" default role.
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: ["crd.antrea.io"]
resources: ["traceflows"]
verbs: ["get", "list", "watch"]
---
# Source: antrea/templates/crds-rbac/clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: aggregate-antrea-clustergroups-edit
labels:
app: antrea
# Add these permissions to the "admin" and "edit" default roles.
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups: ["crd.antrea.io"]
resources: ["clustergroups"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
# Source: antrea/templates/crds-rbac/clusterroles.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: aggregate-antrea-clustergroups-view
labels:
app: antrea
# Add these permissions to the "view" default role.
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: ["crd.antrea.io"]
resources: ["clustergroups"]
verbs: ["get", "list", "watch"]
---
# Source: antrea/templates/agent/clusterrolebinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: antrea-agent
labels:
app: antrea
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: antrea-agent
subjects:
- kind: ServiceAccount
name: antrea-agent
namespace: kube-system
---
# Source: antrea/templates/antctl/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: antrea
name: antctl
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: antctl
subjects:
- kind: ServiceAccount
name: antctl
namespace: kube-system
---
# Source: antrea/templates/controller/clusterrolebinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: antrea-controller
labels:
app: antrea
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: antrea-controller
subjects:
- kind: ServiceAccount
name: antrea-controller
namespace: kube-system
---
# Source: antrea/templates/controller/service.yaml
apiVersion: v1
kind: Service
metadata:
name: antrea
namespace: kube-system
labels:
app: antrea
spec:
ports:
- port: 443
protocol: TCP
targetPort: api
selector:
app: antrea
component: antrea-controller
---
# Source: antrea/templates/agent/daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: antrea-agent
namespace: kube-system
labels:
app: antrea
component: antrea-agent
spec:
selector:
matchLabels:
app: antrea
component: antrea-agent
updateStrategy:
type: RollingUpdate
template:
metadata:
annotations:
# Starting with v1.21, Kubernetes supports default container annotation.
# Using "kubectl logs/exec/attach/cp" doesn't have to specify "-c antrea-agent" when troubleshooting.
kubectl.kubernetes.io/default-container: antrea-agent
# Automatically restart Pods with a RollingUpdate if the ConfigMap changes
# See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
checksum/config: 750097fa4ed60fda68fedf2f31b06a1a62dbbe5dc9a38e9c1f9ddc861a389401
labels:
app: antrea
component: antrea-agent
spec:
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
priorityClassName: system-node-critical
nodeSelector:
kubernetes.io/os: linux
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists
serviceAccountName: antrea-agent
initContainers:
- name: install-cni
image: "projects.registry.vmware.com/antrea/antrea-ubuntu:v1.7.2"
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 100m
command: ["install_cni"]
securityContext:
capabilities:
add:
# SYS_MODULE is required to load the OVS kernel module.
- SYS_MODULE
env:
# SKIP_CNI_BINARIES takes in values as a comma separated list of
# binaries that need to be skipped for installation, e.g. "portmap, bandwidth".
- name: SKIP_CNI_BINARIES
value: ""
volumeMounts:
- name: antrea-config
mountPath: /etc/antrea/antrea-cni.conflist
subPath: antrea-cni.conflist
readOnly: true
- name: host-cni-conf
mountPath: /host/etc/cni/net.d
- name: host-cni-bin
mountPath: /host/opt/cni/bin
# For loading the OVS kernel module.
- name: host-lib-modules
mountPath: /lib/modules
readOnly: true
# For changing the default permissions of the run directory.
- name: host-var-run-antrea
mountPath: /var/run/antrea
containers:
- name: antrea-agent
image: "projects.registry.vmware.com/antrea/antrea-ubuntu:v1.7.2"
imagePullPolicy: IfNotPresent
command: ["antrea-agent"]
# Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).-
args:
- "--config=/etc/antrea/antrea-agent.conf"
- "--logtostderr=false"
- "--log_dir=/var/log/antrea"
- "--alsologtostderr"
- "--log_file_max_size=100"
- "--log_file_max_num=4"
env:
# Provide pod and node information for clusterinformation CRD.
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
resources:
requests:
cpu: 200m
ports:
- containerPort: 10350
name: api
protocol: TCP
livenessProbe:
httpGet:
host: localhost
path: /livez
port: api
scheme: HTTPS
initialDelaySeconds: 10
timeoutSeconds: 5
periodSeconds: 10
failureThreshold: 5
readinessProbe:
httpGet:
host: localhost
path: /readyz
port: api
scheme: HTTPS
initialDelaySeconds: 5
timeoutSeconds: 5
periodSeconds: 10
# In large-scale clusters, it may take up to 40~50 seconds for the antrea-agent to reconnect to the antrea
# Service after the antrea-controller restarts. The antrea-agent shouldn't be reported as NotReady in this
# scenario, otherwise the DaemonSet controller would restart all agents at once, as opposed to performing a
# rolling update. Set failureThreshold to 8 so it can tolerate 70s of disconnection.
failureThreshold: 8
securityContext:
# antrea-agent needs to perform sysctl configuration.
privileged: true
volumeMounts:
- name: antrea-config
mountPath: /etc/antrea/antrea-agent.conf
subPath: antrea-agent.conf
readOnly: true
- name: host-var-run-antrea
mountPath: /var/run/antrea
- name: host-var-run-antrea
mountPath: /var/run/openvswitch
subPath: openvswitch
# host-local IPAM stores allocated IP addresses as files in /var/lib/cni/networks/$NETWORK_NAME.
# Mount a sub-directory of host-var-run-antrea to it for persistence of IP allocation.
- name: host-var-run-antrea
mountPath: /var/lib/cni
subPath: cni
# We need to mount both the /proc directory and the /var/run/netns directory so that
# antrea-agent can open the network namespace path when setting up Pod
# networking. Different container runtimes may use /proc or /var/run/netns when invoking
# the CNI commands. Docker uses /proc and containerd uses /var/run/netns.
- name: host-var-log-antrea
mountPath: /var/log/antrea
- name: host-proc
mountPath: /host/proc
readOnly: true
- name: host-var-run-netns
mountPath: /host/var/run/netns
readOnly: true
# When a container is created, a mount point for the network namespace is added under
# /var/run/netns on the host, which needs to be propagated to the antrea-agent container.
mountPropagation: HostToContainer
- name: xtables-lock
mountPath: /run/xtables.lock
- name: antrea-ovs
image: "projects.registry.vmware.com/antrea/antrea-ubuntu:v1.7.2"
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 200m
command: ["start_ovs"]
args:
- "--log_file_max_size=100"
- "--log_file_max_num=4"
securityContext:
# capabilities required by OVS daemons
capabilities:
add:
- SYS_NICE
- NET_ADMIN
- SYS_ADMIN
- IPC_LOCK
livenessProbe:
exec:
# docker CRI doesn't honor timeoutSeconds, add "timeout" to the command as a workaround.
# https://github.com/kubernetes/kubernetes/issues/51901
command:
- /bin/sh
- -c
- timeout 10 container_liveness_probe ovs
initialDelaySeconds: 5
timeoutSeconds: 10
periodSeconds: 10
failureThreshold: 5
volumeMounts:
- name: host-var-run-antrea
mountPath: /var/run/openvswitch
subPath: openvswitch
- name: host-var-log-antrea
mountPath: /var/log/openvswitch
subPath: openvswitch
volumes:
- name: antrea-config
configMap:
name: antrea-config
- name: host-cni-conf
hostPath:
path: /etc/cni/net.d
- name: host-cni-bin
hostPath:
path: /opt/cni/bin
- name: host-proc
hostPath:
path: /proc
- name: host-var-run-netns
hostPath:
path: /var/run/netns
- name: host-var-run-antrea
hostPath:
path: /var/run/antrea
# we use subPath to create run subdirectories for different component (e.g. OVS) and
# subPath requires the base volume to exist
type: DirectoryOrCreate
- name: host-var-log-antrea
hostPath:
path: /var/log/antrea
# we use subPath to create logging subdirectories for different component (e.g. OVS)
type: DirectoryOrCreate
- name: host-lib-modules
hostPath:
path: /lib/modules
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
---
# Source: antrea/templates/controller/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: antrea-controller
namespace: kube-system
labels:
app: antrea
component: antrea-controller
spec:
strategy:
# Ensure the existing Pod is stopped before the new one is created.
type: Recreate
selector:
matchLabels:
app: antrea
component: antrea-controller
replicas: 1
template:
metadata:
annotations:
# Automatically restart Pod if the ConfigMap changes
# See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
checksum/config: 750097fa4ed60fda68fedf2f31b06a1a62dbbe5dc9a38e9c1f9ddc861a389401
labels:
app: antrea
component: antrea-controller
spec:
nodeSelector:
kubernetes.io/os: linux
hostNetwork: true
priorityClassName: system-cluster-critical
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
serviceAccountName: antrea-controller
containers:
- name: antrea-controller
image: "projects.registry.vmware.com/antrea/antrea-ubuntu:v1.7.2"
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 200m
command: ["antrea-controller"]
# Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).
args:
- "--config=/etc/antrea/antrea-controller.conf"
- "--logtostderr=false"
- "--log_dir=/var/log/antrea"
- "--alsologtostderr"
- "--log_file_max_size=100"
- "--log_file_max_num=4"
env:
# Provide pod and node information for clusterinformation CRD.
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
# Provide ServiceAccount name for validation webhook.
- name: SERVICEACCOUNT_NAME
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config
ports:
- containerPort: 10349
name: api
protocol: TCP
readinessProbe:
httpGet:
host: localhost
path: /readyz
port: api
scheme: HTTPS
initialDelaySeconds: 5
timeoutSeconds: 5
periodSeconds: 10
failureThreshold: 5
livenessProbe:
httpGet:
host: localhost
path: /livez
port: api
scheme: HTTPS
timeoutSeconds: 5
periodSeconds: 10
failureThreshold: 5
volumeMounts:
- name: antrea-config
mountPath: /etc/antrea/antrea-controller.conf
subPath: antrea-controller.conf
readOnly: true
- name: antrea-controller-tls
mountPath: /var/run/antrea/antrea-controller-tls
- name: host-var-log-antrea
mountPath: /var/log/antrea
volumes:
- name: antrea-config
configMap:
name: antrea-config
# Make it optional as we only read it when selfSignedCert=false.
- name: antrea-controller-tls
secret:
secretName: antrea-controller-tls
defaultMode: 0400
optional: true
- name: host-var-log-antrea
hostPath:
path: /var/log/antrea
type: DirectoryOrCreate
---
# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1beta2.controlplane.antrea.io
labels:
app: antrea
spec:
group: controlplane.antrea.io
groupPriorityMinimum: 100
version: v1beta2
versionPriority: 100
service:
name: antrea
namespace: kube-system
---
# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1beta1.system.antrea.io
labels:
app: antrea
spec:
group: system.antrea.io
groupPriorityMinimum: 100
version: v1beta1
versionPriority: 100
service:
name: antrea
namespace: kube-system
---
# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.stats.antrea.io
labels:
app: antrea
spec:
group: stats.antrea.io
groupPriorityMinimum: 100
version: v1alpha1
versionPriority: 100
service:
name: antrea
namespace: kube-system
---
# Source: antrea/templates/webhooks/mutating/crdmutator.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: "crdmutator.antrea.io"
labels:
app: antrea
webhooks:
- name: "acnpmutator.antrea.io"
clientConfig:
service:
name: "antrea"
namespace: kube-system
path: "/mutate/acnp"
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["crd.antrea.io"]
apiVersions: ["v1alpha1"]
resources: ["clusternetworkpolicies"]
scope: "Cluster"
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
- name: "anpmutator.antrea.io"
clientConfig:
service:
name: "antrea"
namespace: kube-system
path: "/mutate/anp"
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["crd.antrea.io"]
apiVersions: ["v1alpha1"]
resources: ["networkpolicies"]
scope: "Namespaced"
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
---
# Source: antrea/templates/webhooks/validating/crdvalidator.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: "crdvalidator.antrea.io"
labels:
app: antrea
webhooks:
- name: "tiervalidator.antrea.io"
clientConfig:
service:
name: "antrea"
namespace: kube-system
path: "/validate/tier"
rules:
- operations: ["CREATE", "UPDATE", "DELETE"]
apiGroups: ["crd.antrea.io"]
apiVersions: ["v1alpha1"]
resources: ["tiers"]
scope: "Cluster"
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
- name: "acnpvalidator.antrea.io"
clientConfig:
service:
name: "antrea"
namespace: kube-system
path: "/validate/acnp"
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["crd.antrea.io"]
apiVersions: ["v1alpha1"]
resources: ["clusternetworkpolicies"]
scope: "Cluster"
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
- name: "anpvalidator.antrea.io"
clientConfig:
service:
name: "antrea"
namespace: kube-system
path: "/validate/anp"
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["crd.antrea.io"]
apiVersions: ["v1alpha1"]
resources: ["networkpolicies"]
scope: "Namespaced"
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
- name: "clustergroupvalidator.antrea.io"
clientConfig:
service:
name: "antrea"
namespace: kube-system
path: "/validate/clustergroup"
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["crd.antrea.io"]
apiVersions: ["v1alpha3", "v1alpha2"]
resources: ["clustergroups"]
scope: "Cluster"
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
- name: "externalippoolvalidator.antrea.io"
clientConfig:
service:
name: "antrea"
namespace: kube-system
path: "/validate/externalippool"
rules:
- operations: ["UPDATE"]
apiGroups: ["crd.antrea.io"]
apiVersions: ["v1alpha2"]
resources: ["externalippools"]
scope: "Cluster"
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
- name: "egressvalidator.antrea.io"
clientConfig:
service:
name: "antrea"
namespace: kube-system
path: "/validate/egress"
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["crd.antrea.io"]
apiVersions: ["v1alpha2"]
resources: ["egresses"]
scope: "Cluster"
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
- name: "ippoolvalidator.antrea.io"
clientConfig:
service:
name: "antrea"
namespace: kube-system
path: "/validate/ippool"
rules:
- operations: ["CREATE", "UPDATE", "DELETE"]
apiGroups: ["crd.antrea.io"]
apiVersions: ["v1alpha2"]
resources: ["ippools"]
scope: "Cluster"
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment