Skip to content

Commit

Permalink
Update ROADMAP (#5807)
Browse files Browse the repository at this point in the history
Based on discussion with other maintainers

Signed-off-by: Antonin Bas <[email protected]>
  • Loading branch information
antoninbas authored Jan 3, 2024
1 parent 7f2914a commit 7702924
Show file tree
Hide file tree
Showing 2 changed files with 122 additions and 71 deletions.
8 changes: 7 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,10 +88,16 @@ Also check out [@ProjectAntrea](https://twitter.com/ProjectAntrea) on Twitter!
on your infrastructure and use case.
* **Comprehensive policy model**: Antrea provides a comprehensive network policy
model, which builds upon Kubernetes Network Policies with new features such as
policy tiering, rule priorities and cluster-level policies.
policy tiering, rule priorities and cluster-level policies. Refer to the
[Antrea Network Policy documentation](docs/antrea-network-policy.md) for a
full list of features.
* **Windows Node support**: Thanks to the portability of Open vSwitch, Antrea
can use the same data plane implementation on both Linux and Windows
Kubernetes Nodes.
* **Multi-cluster networking**: Federate multiple Kubernetes clusters and
benefit from a unified data plane (including multi-cluster Services) and a
unified security posture. Refer to the [Antrea Multi-cluster documentation](docs/multicluster/user-guide.md)
to get started.
* **Troubleshooting and monitoring tools**: Antrea comes with CLI and UI tools
which provide visibility and diagnostics capabilities (packet tracing, policy
analysis, flow inspection). It exposes Prometheus metrics and supports
Expand Down
185 changes: 115 additions & 70 deletions ROADMAP.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,73 +8,118 @@ not listed now does not mean it will not be considered for Antrea. We definitely
welcome suggestions and ideas from everyone about the roadmap and Antrea
features. Reach us through Issues, Slack and / or Google Group!

## Planned Features

The following features are considered for the near future:

* **Windows support improvements**
Antrea [supports Windows K8s Node](docs/windows.md) since version 0.7.0.
However, a few features including: Egress, NodePortLocal, IPsec encryption are
not supported for Windows Node yet. We will continue to add more features for
Windows, and improve Antrea Agent and OVS installation on Windows Nodes.

* **Antrea NetworkPolicy enhancements**
Antrea added support for [Antrea-native policies](docs/antrea-network-policy.md)
in addition to K8s NetworkPolicy since version 0.8.0, and already supports
Antrea (Namespace scoped) NetworkPolicy, ClusterNetworkPolicy, ClusterGroup,
Tier, and features including traffic statistics, traffic logging, policy
realization status, `Drop` and `Reject` actions, policy priority, `AppliedTo`
at rule level, Namespace isolation, FQDN and Service as egress rule destination.
We will continue to add more advanced NetworkPolicy features.

* **Network diagnostics and observability**
Network diagnostics and observability is one area we want to focus on. Antrea
already implements some useful features on this front, including the [Antrea
UI](https://github.com/antrea-io/antrea-ui), [CLI](docs/antctl.md),
[Traceflow](docs/traceflow-guide.md), [network flow export and
visualization](docs/network-flow-visibility.md), [Prometheus
metrics](docs/prometheus-integration.md), [OVS flow
dumping](docs/antctl.md#dumping-ovs-flows) and [packet
tracing](docs/antctl.md#ovs-packet-tracing), [NetworkPolicy
diagnostics](docs/antctl.md#networkpolicy-commands). We will continue to enhance
existing features and add new features to help diagnose K8s networking and
NetworkPolicy implementation, and to provide good visibility into the Antrea
network.

* **NFV and Telco use cases**
We plan to explore and provide support for NFV and Telco use cases. We will add
native Pod multi-interface support in Antrea, and support Pod interfaces on
SRIOV devices, OVS DPDK bridge, overlay network, and Network Service Chaining.

* **L7 security policy and visibility**
Enhance Antrea to provide application level security and visibility to K8s
workloads. This includes extending Antrea-native NetworkPolicies to support L7 /
application protocols (HTTP, DNS, etc.), and extending Antrea diagnostics and
observability features to get into application level visibility.

* **Multi-cluster networking**
We would extend Antrea from CNI of a single Kubernetes cluster to multi-cluster
networking, and implement multi-cluster features like multi-cluster Services,
cross-cluster connectivity, multi-cluster NetworkPolicies. Antrea multi-cluster
functionalities are under active development. Check the [Antrea Multi-cluster
user guide](docs/multicluster/user-guide.md) to learn what features are already
supported.

* **Analytics**
With the network flows exported by Antrea, we plan to further build an analytics
solution that consumes the network flows, and provides traffic analysis,
NetworkPolicy recommendation, security and network performance monitoring. We
already started a sub-project of Antrea - [Theia](https://github.com/antrea-io/theia) -
for network flow visibility and analytics. Stay tunned!

* **K8s Node security**
So far Antrea focuses on K8s Pod networking and security, but we would like to
extend Antrea-native NetworkPolicies to cover protection of K8s Nodes too.

* **NetworkPolicy scale and performance tests**
Evaluate and benchmark the NetworkPolicy implementation performance at a large
scale, including the policy computation performance of Antrea Controller and the
OVS datapath performance.

* **OVS with DPDK or AF_XDP**
Leverage OVS with DPDK or AF_XDP for high performance.
## Roadmap Items

### Antrea v2

Antrea [version 2](https://github.com/antrea-io/antrea/issues/4832) is coming in
2024. We are graduating some popular features to Beta or GA, deprecating some
legacy APIs, dropping support for old K8s versions (< 1.19) to improve support
for newer ones, and more! This is a big milestone for the project, stay tuned!

### K8s Node security

So far Antrea has focused on K8s Pod networking and security, but we would like
to extend Antrea-native NetworkPolicies to cover protection of K8s Nodes
too. There is ongoing work for this, so expect this feature very soon!

### Quality of life improvements for installation and upgrade

We have a few things planned to improve basic usability:

* provide separate container images for the Agent and Controller: this will
reduce image size and speed up deployment of new Antrea versions.
* support for installation and upgrade using the antctl CLI: this will provide
an alternative installation method and antctl will ensure that Antrea
components are upgraded in the right order to minimize workload disruption.
* CLI tools to facilitate migration from another CNI: we will take care of
provisioning the correct network resources for your existing workloads.

### Core networking features

We are currently working on supporting VLAN tagging for Egress traffic. In the
long term, we plan to add BGP support to the Antrea Agent, as it is a much
requested feature.

### Windows support improvements

Antrea [supports Windows K8s Nodes](docs/windows.md). However, a few features
including: Egress, NodePortLocal, IPsec encryption are not supported for Windows
yet. We will continue to add more features for Windows (starting with Egress)
and aim for feature parity with Linux. We encourage users to reach out if they
would like us to prioritize a specific feature. While the installation procedure
has improved significantly since we first added Windows support, we plan to keep
on streamlining the procedure (more automation) and on improving the user
documentation.

### More robust FQDN support in Antrea NetworkPolicy

Antrea provides a comprehensive network policy model, which builds upon K8s
Network Policies and provides many additional capabilities. One of them is the
ability to define policy rules using domain names (FQDNs). We think there is
some room to improve user experience with this feature, and we are working on
making it more stable.

### Implementation of new upstream NetworkPolicy APIs

[SIG Network](https://github.com/kubernetes/community/tree/master/sig-network)
is working on [new standard APIs](https://network-policy-api.sigs.k8s.io/) to
extend the base K8s NetworkPolicy resource. We are closely monitoring the
upstream work and implementing these APIs as their development matures.

### Better network troubleshooting with packet capture

Antrea comes with many tools for network diagnostics and observability. You may
already be familiar with Traceflow, which lets you trace a single packet through
the Antrea network. We plan on also providing users with the ability to capture
live traffic and export it in PCAP format. Think tcpdump, but for K8s and
through a dedicated Antrea API!

### Multi-network support for Pods

We recently added the SecondaryNetwork feature, which supports provisioning
additional networks for Pods, using the same constructs made popular by
[Multus](https://github.com/k8snetworkplumbingwg/multus-cni). However, at the
moment, options for network "types" are limited. We plan on supporting new use
cases (e.g., secondary network overlays, network acceleration with DPDK), as
well as on improving user experience for this feature (with some useful
documentation).

### L7 security policy

Support for L7 NetworkPolicies was added in version 1.10, providing the ability
to select traffic based on the application-layer context. However, the feature
currently only supports HTTP and TLS traffic, and we plan to extend support to
other protocols, such as DNS.

### Multi-cluster networking

Antrea can federate multiple K8s clusters, but this feature (introduced in
version 1.7) is still considered Alpha today. Most of the functionality is
already there (multi-cluster Services, cross-cluster connectivity,
and multi-cluster NetworkPolicies), but we think there is some room for
improvement when it comes to stability and usability.

### NetworkPolicy scale and performance tests

We are working on a framework to empower contributors and users to benchmark the
performance of Antrea at scale.

### Investigate better integration with service meshes

As service meshes start introducing alternatives to the sidecar approach,
we believe there is an opportunity to improve the synergy between the K8s
network plugin and the service mesh provider. In particular, we are looking at
how Antrea can integrate with the new Istio ambient data plane mode. Take a look
at [#5682](https://github.com/antrea-io/antrea/issues/5682) for more
information.

### Investigate multiple replicas for the Controller

While today the Antrea Controller can scale to 1000s of K8s Nodes and 100,000
Pods, and failover to a new replica in case of failure can happen in under a
minute, we believe we should still investigate the possibility of deploying
multiple replicas for the Controller (Active-Active or Active-Standby), to
enable horizontal scaling and achieve high-availability with very quick
failover. Horizontal scaling could help reduce the memory footprint of each
Controller instance for very large K8s clusters.

0 comments on commit 7702924

Please sign in to comment.