From b8b37a696d410693a67672a1589950325595735b Mon Sep 17 00:00:00 2001 From: Andrew Lavery Date: Fri, 1 Sep 2023 14:52:21 +0200 Subject: [PATCH] Revert "remove aws and antrea addons" (#4794) Revert "remove aws and antrea addons (#4793)" This reverts commit 499cbdb119585010f66a08e38470393a4d3667eb. --- addons/antrea/0.13.1/Manifest | 3 + addons/antrea/0.13.1/install.sh | 80 + addons/antrea/0.13.1/ipsec-psk.yaml | 7 + addons/antrea/0.13.1/ipsec.yaml | 2110 +++++++ addons/antrea/0.13.1/kubeadm.yaml | 7 + addons/antrea/0.13.1/kustomization.yaml | 1 + addons/antrea/0.13.1/plaintext.yaml | 2067 +++++++ addons/antrea/1.0.0/Manifest | 3 + addons/antrea/1.0.0/install.sh | 80 + addons/antrea/1.0.0/ipsec-psk.yaml | 7 + addons/antrea/1.0.0/ipsec.yaml | 3446 +++++++++++ addons/antrea/1.0.0/kubeadm.yaml | 7 + addons/antrea/1.0.0/kustomization.yaml | 1 + addons/antrea/1.0.0/plaintext.yaml | 3403 +++++++++++ addons/antrea/1.0.1/Manifest | 3 + addons/antrea/1.0.1/install.sh | 80 + addons/antrea/1.0.1/ipsec-psk.yaml | 7 + addons/antrea/1.0.1/ipsec.yaml | 3446 +++++++++++ addons/antrea/1.0.1/kubeadm.yaml | 7 + addons/antrea/1.0.1/kustomization.yaml | 1 + addons/antrea/1.0.1/plaintext.yaml | 3403 +++++++++++ addons/antrea/1.1.0/Manifest | 3 + addons/antrea/1.1.0/install.sh | 80 + addons/antrea/1.1.0/ipsec-psk.yaml | 7 + addons/antrea/1.1.0/ipsec.yaml | 4569 +++++++++++++++ addons/antrea/1.1.0/kubeadm.yaml | 7 + addons/antrea/1.1.0/kustomization.yaml | 1 + addons/antrea/1.1.0/plaintext.yaml | 4526 +++++++++++++++ addons/antrea/1.2.0/Manifest | 3 + addons/antrea/1.2.0/install.sh | 80 + addons/antrea/1.2.0/ipsec-psk.yaml | 7 + addons/antrea/1.2.0/ipsec.yaml | 4726 +++++++++++++++ addons/antrea/1.2.0/kubeadm.yaml | 7 + addons/antrea/1.2.0/kustomization.yaml | 1 + addons/antrea/1.2.0/plaintext.yaml | 4683 +++++++++++++++ addons/antrea/1.2.1/Manifest | 3 + addons/antrea/1.2.1/install.sh | 93 + addons/antrea/1.2.1/ipsec-psk.yaml | 7 + addons/antrea/1.2.1/ipsec.yaml | 4726 +++++++++++++++ addons/antrea/1.2.1/kubeadm.yaml | 7 + addons/antrea/1.2.1/kustomization.yaml | 1 + addons/antrea/1.2.1/plaintext.yaml | 4683 +++++++++++++++ addons/antrea/1.4.0/Manifest | 3 + addons/antrea/1.4.0/install.sh | 119 + addons/antrea/1.4.0/ipsec-psk.yaml | 7 + addons/antrea/1.4.0/ipsec.yaml | 5101 +++++++++++++++++ addons/antrea/1.4.0/kubeadm.yaml | 7 + addons/antrea/1.4.0/kustomization.yaml | 1 + addons/antrea/1.4.0/plaintext.yaml | 5058 ++++++++++++++++ addons/antrea/categories.json | 6 + addons/antrea/template/base/Manifest | 3 + addons/antrea/template/base/install.sh | 113 + addons/antrea/template/base/ipsec-psk.yaml | 7 + addons/antrea/template/base/kubeadm.yaml | 7 + .../antrea/template/base/kustomization.yaml | 1 + addons/antrea/template/generate.sh | 48 + addons/antrea/template/testgrid/tests.yaml | 66 + addons/aws/0.0.1/Manifest | 0 addons/aws/0.0.1/install.sh | 22 + .../0.0.1/kubeadm-cluster-config-v1beta2.yml | 17 + .../aws/0.0.1/kubeadm-init-config-v1beta2.yml | 10 + .../0.0.1/kubeadm-join-config-v1beta2.yaml | 10 + addons/aws/0.0.1/kustomization.yaml | 2 + addons/aws/0.0.1/storageclass.yaml | 9 + addons/aws/0.1.0/Manifest | 0 addons/aws/0.1.0/install.sh | 41 + .../0.1.0/kubeadm-cluster-config-v1beta2.yml | 12 + .../aws/0.1.0/kubeadm-init-config-v1beta2.yml | 8 + .../0.1.0/kubeadm-join-config-v1beta2.yaml | 8 + addons/aws/0.1.0/kustomization.yaml | 0 addons/aws/0.1.0/storageclass.yaml | 9 + addons/aws/categories.json | 7 + web/src/installers/versions.js | 13 + 73 files changed, 57104 insertions(+) create mode 100644 addons/antrea/0.13.1/Manifest create mode 100644 addons/antrea/0.13.1/install.sh create mode 100644 addons/antrea/0.13.1/ipsec-psk.yaml create mode 100644 addons/antrea/0.13.1/ipsec.yaml create mode 100644 addons/antrea/0.13.1/kubeadm.yaml create mode 100644 addons/antrea/0.13.1/kustomization.yaml create mode 100644 addons/antrea/0.13.1/plaintext.yaml create mode 100644 addons/antrea/1.0.0/Manifest create mode 100644 addons/antrea/1.0.0/install.sh create mode 100644 addons/antrea/1.0.0/ipsec-psk.yaml create mode 100644 addons/antrea/1.0.0/ipsec.yaml create mode 100644 addons/antrea/1.0.0/kubeadm.yaml create mode 100644 addons/antrea/1.0.0/kustomization.yaml create mode 100644 addons/antrea/1.0.0/plaintext.yaml create mode 100644 addons/antrea/1.0.1/Manifest create mode 100644 addons/antrea/1.0.1/install.sh create mode 100644 addons/antrea/1.0.1/ipsec-psk.yaml create mode 100644 addons/antrea/1.0.1/ipsec.yaml create mode 100644 addons/antrea/1.0.1/kubeadm.yaml create mode 100644 addons/antrea/1.0.1/kustomization.yaml create mode 100644 addons/antrea/1.0.1/plaintext.yaml create mode 100644 addons/antrea/1.1.0/Manifest create mode 100644 addons/antrea/1.1.0/install.sh create mode 100644 addons/antrea/1.1.0/ipsec-psk.yaml create mode 100644 addons/antrea/1.1.0/ipsec.yaml create mode 100644 addons/antrea/1.1.0/kubeadm.yaml create mode 100644 addons/antrea/1.1.0/kustomization.yaml create mode 100644 addons/antrea/1.1.0/plaintext.yaml create mode 100644 addons/antrea/1.2.0/Manifest create mode 100644 addons/antrea/1.2.0/install.sh create mode 100644 addons/antrea/1.2.0/ipsec-psk.yaml create mode 100644 addons/antrea/1.2.0/ipsec.yaml create mode 100644 addons/antrea/1.2.0/kubeadm.yaml create mode 100644 addons/antrea/1.2.0/kustomization.yaml create mode 100644 addons/antrea/1.2.0/plaintext.yaml create mode 100644 addons/antrea/1.2.1/Manifest create mode 100644 addons/antrea/1.2.1/install.sh create mode 100644 addons/antrea/1.2.1/ipsec-psk.yaml create mode 100644 addons/antrea/1.2.1/ipsec.yaml create mode 100644 addons/antrea/1.2.1/kubeadm.yaml create mode 100644 addons/antrea/1.2.1/kustomization.yaml create mode 100644 addons/antrea/1.2.1/plaintext.yaml create mode 100644 addons/antrea/1.4.0/Manifest create mode 100644 addons/antrea/1.4.0/install.sh create mode 100644 addons/antrea/1.4.0/ipsec-psk.yaml create mode 100644 addons/antrea/1.4.0/ipsec.yaml create mode 100644 addons/antrea/1.4.0/kubeadm.yaml create mode 100644 addons/antrea/1.4.0/kustomization.yaml create mode 100644 addons/antrea/1.4.0/plaintext.yaml create mode 100644 addons/antrea/categories.json create mode 100644 addons/antrea/template/base/Manifest create mode 100644 addons/antrea/template/base/install.sh create mode 100644 addons/antrea/template/base/ipsec-psk.yaml create mode 100644 addons/antrea/template/base/kubeadm.yaml create mode 100644 addons/antrea/template/base/kustomization.yaml create mode 100755 addons/antrea/template/generate.sh create mode 100644 addons/antrea/template/testgrid/tests.yaml create mode 100644 addons/aws/0.0.1/Manifest create mode 100644 addons/aws/0.0.1/install.sh create mode 100644 addons/aws/0.0.1/kubeadm-cluster-config-v1beta2.yml create mode 100644 addons/aws/0.0.1/kubeadm-init-config-v1beta2.yml create mode 100644 addons/aws/0.0.1/kubeadm-join-config-v1beta2.yaml create mode 100644 addons/aws/0.0.1/kustomization.yaml create mode 100644 addons/aws/0.0.1/storageclass.yaml create mode 100644 addons/aws/0.1.0/Manifest create mode 100644 addons/aws/0.1.0/install.sh create mode 100644 addons/aws/0.1.0/kubeadm-cluster-config-v1beta2.yml create mode 100644 addons/aws/0.1.0/kubeadm-init-config-v1beta2.yml create mode 100644 addons/aws/0.1.0/kubeadm-join-config-v1beta2.yaml create mode 100644 addons/aws/0.1.0/kustomization.yaml create mode 100644 addons/aws/0.1.0/storageclass.yaml create mode 100644 addons/aws/categories.json diff --git a/addons/antrea/0.13.1/Manifest b/addons/antrea/0.13.1/Manifest new file mode 100644 index 0000000000..b4570ae3d4 --- /dev/null +++ b/addons/antrea/0.13.1/Manifest @@ -0,0 +1,3 @@ +image antrea-ubuntu projects.registry.vmware.com/antrea/antrea-ubuntu:v0.13.1 + +asset antctl https://github.com/vmware-tanzu/antrea/releases/download/v0.13.1/antctl-Linux-x86_64 diff --git a/addons/antrea/0.13.1/install.sh b/addons/antrea/0.13.1/install.sh new file mode 100644 index 0000000000..d73c17fc61 --- /dev/null +++ b/addons/antrea/0.13.1/install.sh @@ -0,0 +1,80 @@ + +function antrea_pre_init() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + + POD_CIDR="$ANTREA_POD_CIDR" + POD_CIDR_RANGE="$ANTREA_POD_CIDR_RANGE" + + cp "$src/kubeadm.yaml" "$DIR/kustomize/kubeadm/init-patches/antrea.yaml" + + if commandExists kubectl; then + EXISTING_POD_CIDR=$(kubectl -n kube-system get cm kubeadm-config -oyaml 2>/dev/null | grep podSubnet | awk '{ print $NF }') + fi +} + +function antrea() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + local dst="$DIR/kustomize/antrea" + + if antrea_weave_conflict; then + printf "${YELLOW}Cannot migrate from weave to antrea${NC}\n" + return 0 + fi + + if ! lsmod | grep ip_tables; then + modprobe ip_tables + fi + + cp "$src/kustomization.yaml" "$dst/" + + if [ "$ANTREA_DISABLE_ENCRYPTION" = "1" ]; then + cp "$src/plaintext.yaml" "$dst/" + insert_resources "$dst/kustomization.yaml" plaintext.yaml + else + cp "$src/ipsec.yaml" "$dst/" + insert_resources "$dst/kustomization.yaml" ipsec.yaml + + ANTREA_IPSEC_PSK=$(kubernetes_secret_value kube-system antrea-ipsec psk) + if [ -z "$ANTREA_IPSEC_PSK" ]; then + ANTREA_IPSEC_PSK=$(< /dev/urandom tr -dc A-Za-z0-9 | head -c9) + fi + render_yaml_file "$src/ipsec-psk.yaml" > "$dst/ipsec-psk.yaml" + insert_patches_strategic_merge "$dst/kustomization.yaml" ipsec-psk.yaml + fi + + kubectl apply -k $dst + + antrea_cli + + check_network +} + +function antrea_join() { + if ! lsmod | grep ip_tables; then + modprobe ip_tables + fi + + if kubernetes_is_master; then + antrea_cli + fi +} + +function antrea_cli() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + + if [ ! -f "$src/assets/antctl" ] && [ "$AIRGAP" != "1" ]; then + mkdir -p "$src/assets" + curl -L --fail "https://github.com/vmware-tanzu/antrea/releases/download/v${ANTREA_VERSION}/antctl-Linux-x86_64" > "$src/assets/antctl" + fi + + chmod +x "$src/assets/antctl" + # put it in the same directory as kubectl since that's always on the path + cp "$src/assets/antctl" "$(dirname $(which kubectl))/" +} + +function antrea_weave_conflict() { + if [ -f /etc/cni/net.d/10-weave.conflist ]; then + return 0 + fi + return 1 +} diff --git a/addons/antrea/0.13.1/ipsec-psk.yaml b/addons/antrea/0.13.1/ipsec-psk.yaml new file mode 100644 index 0000000000..8f73207965 --- /dev/null +++ b/addons/antrea/0.13.1/ipsec-psk.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: antrea-ipsec + namespace: kube-system +stringData: + psk: $ANTREA_IPSEC_PSK diff --git a/addons/antrea/0.13.1/ipsec.yaml b/addons/antrea/0.13.1/ipsec.yaml new file mode 100644 index 0000000000..c0c40cb6aa --- /dev/null +++ b/addons/antrea/0.13.1/ipsec.yaml @@ -0,0 +1,2110 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - aai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - aci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - cg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - cnp + - acnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + pattern: ^(((([1]?\d)?\d|2[0-4]\d|25[0-5])\.){3}(([1]?\d)?\d|2[0-4]\d|25[0-5]))|([\da-fA-F]{1,4}(\:[\da-fA-F]{1,4}){7})|(([\da-fA-F]{1,4}:){0,5}::([\da-fA-F]{1,4}:){0,5}[\da-fA-F]{1,4})$ + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - netpol + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.ops.antrea.tanzu.vmware.com +spec: + group: ops.antrea.tanzu.vmware.com + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + oneOf: + - required: + - pod + - namespace + - required: + - service + - namespace + - required: + - ip + properties: + ip: + pattern: ^(((([1]?\d)?\d|2[0-4]\d|25[0-5])\.){3}(([1]?\d)?\d|2[0-4]\d|25[0-5]))|([\da-fA-F]{1,4}(\:[\da-fA-F]{1,4}){7})|(([\da-fA-F]{1,4}:){0,5}::([\da-fA-F]{1,4}:){0,5}[\da-fA-F]{1,4})$ + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + pattern: ^(((([1]?\d)?\d|2[0-4]\d|25[0-5])\.){3}(([1]?\d)?\d|2[0-4]\d|25[0-5]))|([\da-fA-F]{1,4}(\:[\da-fA-F]{1,4}){7})|(([\da-fA-F]{1,4}:){0,5}::([\da-fA-F]{1,4}:){0,5}[\da-fA-F]{1,4})$ + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + namespace: + type: string + pod: + type: string + required: + - pod + - namespace + type: object + required: + - source + - destination + type: object + status: + properties: + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - networking.antrea.tanzu.vmware.com + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.tanzu.vmware.com + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.tanzu.vmware.com + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.tanzu.vmware.com + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.tanzu.vmware.com + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + verbs: + - get + - watch + - list +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - networking.antrea.tanzu.vmware.com + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - nodes + - pods + - namespaces + - services + verbs: + - get + - watch + - list +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1beta1.networking.antrea.tanzu.vmware.com + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - crdmutator.antrea.tanzu.vmware.com + - crdvalidator.antrea.tanzu.vmware.com + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - tiers + verbs: + - get + - watch + - list + - create + - update +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: antrea + name: antrea-ca + namespace: kube-system +--- +apiVersion: v1 +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the pods reachable externally through NodePort + # NodePortLocal: false + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: false + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + #ovsBridge: br-int + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + #hostGateway: antrea-gw0 + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + #trafficEncapMode: encap + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + #noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + tunnelType: gre + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + #defaultMTU: 1450 + + # Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported + # for the GRE tunnel type. + enableIPSecTunnel: true + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + #serviceCIDR: 10.96.0.0/12 + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + #serviceCIDRv6: + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + #apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp" + # L4 transport protocols. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp" + + # Provide flow poll interval as a duration string. This determines how often the flow exporter dumps connections from the conntrack module. + # Flow poll interval should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #flowPollInterval: "5s" + + # Provide flow export frequency, which is the number of poll cycles elapsed before flow exporter exports flow records to + # the flow collector. + # Flow export frequency should be greater than or equal to 1. + #flowExportFrequency: 12 + + # Enable TLS communication from flow exporter to flow aggregator. + #enableTLSToFlowAggregator: true + + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned + # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), + # and all Node traffic directed to that port will be forwarded to the Pod. + #nplPortRange: 40000-41000 + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + #kubeAPIServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + }, + { + "type": "portmap", + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + #apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the + # antrea-controller container. + #selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: +kind: ConfigMap +metadata: + annotations: {} + labels: + app: antrea + name: antrea-config-ftckkg2dc8 + namespace: kube-system +--- +apiVersion: v1 +kind: Secret +metadata: + name: antrea-ipsec + namespace: kube-system +stringData: + psk: changeme +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: antrea + name: antrea + namespace: kube-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: api + selector: + app: antrea + component: antrea-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: antrea + component: antrea-controller + name: antrea-controller + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: antrea + component: antrea-controller + strategy: + type: Recreate + template: + metadata: + labels: + app: antrea + component: antrea-controller + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-controller.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v0.13.1 + livenessProbe: + failureThreshold: 5 + httpGet: + host: 127.0.0.1 + path: /livez + port: api + scheme: HTTPS + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-controller + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: 127.0.0.1 + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + volumeMounts: + - mountPath: /etc/antrea/antrea-controller.conf + name: antrea-config + readOnly: true + subPath: antrea-controller.conf + - mountPath: /var/run/antrea/antrea-controller-tls + name: antrea-controller-tls + - mountPath: /var/log/antrea + name: host-var-log-antrea + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: antrea-controller + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - configMap: + name: antrea-config-ftckkg2dc8 + name: antrea-config + - name: antrea-controller-tls + secret: + defaultMode: 256 + optional: true + secretName: antrea-controller-tls + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.tanzu.vmware.com +spec: + group: stats.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.networking.antrea.tanzu.vmware.com +spec: + group: networking.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.tanzu.vmware.com +spec: + group: system.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: antrea + component: antrea-agent + name: antrea-agent + namespace: kube-system +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + template: + metadata: + labels: + app: antrea + component: antrea-agent + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-agent.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-agent + env: + - name: ANTREA_IPSEC_PSK + valueFrom: + secretKeyRef: + key: psk + name: antrea-ipsec + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v0.13.1 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-agent + ports: + - containerPort: 10350 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: 127.0.0.1 + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + securityContext: + privileged: true + volumeMounts: + - mountPath: /etc/antrea/antrea-agent.conf + name: antrea-config + readOnly: true + subPath: antrea-agent.conf + - mountPath: /var/run/antrea + name: host-var-run-antrea + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/lib/cni + name: host-var-run-antrea + subPath: cni + - mountPath: /var/log/antrea + name: host-var-log-antrea + - mountPath: /host/proc + name: host-proc + readOnly: true + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: host-var-run-netns + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - command: + - start_ovs_ipsec + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v0.13.1 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 5 container_liveness_probe ovs-ipsec + initialDelaySeconds: 5 + periodSeconds: 5 + name: antrea-ipsec + resources: + requests: + cpu: 50m + securityContext: + capabilities: + add: + - NET_ADMIN + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + - mountPath: /var/log/strongswan + name: host-var-log-antrea + subPath: strongswan + - args: + - --log_file_max_size=100 + - --log_file_max_num=4 + command: + - start_ovs + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v0.13.1 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + name: antrea-ovs + resources: + requests: + cpu: 200m + securityContext: + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + initContainers: + - command: + - install_cni + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v0.13.1 + name: install-cni + resources: + requests: + cpu: 100m + securityContext: + capabilities: + add: + - SYS_MODULE + volumeMounts: + - mountPath: /etc/antrea/antrea-cni.conflist + name: antrea-config + readOnly: true + subPath: antrea-cni.conflist + - mountPath: /host/etc/cni/net.d + name: host-cni-conf + - mountPath: /host/opt/cni/bin + name: host-cni-bin + - mountPath: /lib/modules + name: host-lib-modules + readOnly: true + - mountPath: /var/run/antrea + name: host-var-run-antrea + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + serviceAccountName: antrea-agent + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - configMap: + name: antrea-config-ftckkg2dc8 + name: antrea-config + - hostPath: + path: /etc/cni/net.d + name: host-cni-conf + - hostPath: + path: /opt/cni/bin + name: host-cni-bin + - hostPath: + path: /proc + name: host-proc + - hostPath: + path: /var/run/netns + name: host-var-run-netns + - hostPath: + path: /var/run/antrea + type: DirectoryOrCreate + name: host-var-run-antrea + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea + - hostPath: + path: /lib/modules + name: host-lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + updateStrategy: + type: RollingUpdate +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - core.antrea.tanzu.vmware.com + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 diff --git a/addons/antrea/0.13.1/kubeadm.yaml b/addons/antrea/0.13.1/kubeadm.yaml new file mode 100644 index 0000000000..5fa4ffb370 --- /dev/null +++ b/addons/antrea/0.13.1/kubeadm.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kubeadm.k8s.io/v1beta2 +kind: ClusterConfiguration +metadata: + name: kubeadm-cluster-configuration +networking: + podSubnet: $POD_CIDR diff --git a/addons/antrea/0.13.1/kustomization.yaml b/addons/antrea/0.13.1/kustomization.yaml new file mode 100644 index 0000000000..2949157786 --- /dev/null +++ b/addons/antrea/0.13.1/kustomization.yaml @@ -0,0 +1 @@ +resources: diff --git a/addons/antrea/0.13.1/plaintext.yaml b/addons/antrea/0.13.1/plaintext.yaml new file mode 100644 index 0000000000..8028d3790b --- /dev/null +++ b/addons/antrea/0.13.1/plaintext.yaml @@ -0,0 +1,2067 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - aai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - aci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - cg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - cnp + - acnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + pattern: ^(((([1]?\d)?\d|2[0-4]\d|25[0-5])\.){3}(([1]?\d)?\d|2[0-4]\d|25[0-5]))|([\da-fA-F]{1,4}(\:[\da-fA-F]{1,4}){7})|(([\da-fA-F]{1,4}:){0,5}::([\da-fA-F]{1,4}:){0,5}[\da-fA-F]{1,4})$ + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - netpol + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.ops.antrea.tanzu.vmware.com +spec: + group: ops.antrea.tanzu.vmware.com + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + oneOf: + - required: + - pod + - namespace + - required: + - service + - namespace + - required: + - ip + properties: + ip: + pattern: ^(((([1]?\d)?\d|2[0-4]\d|25[0-5])\.){3}(([1]?\d)?\d|2[0-4]\d|25[0-5]))|([\da-fA-F]{1,4}(\:[\da-fA-F]{1,4}){7})|(([\da-fA-F]{1,4}:){0,5}::([\da-fA-F]{1,4}:){0,5}[\da-fA-F]{1,4})$ + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + pattern: ^(((([1]?\d)?\d|2[0-4]\d|25[0-5])\.){3}(([1]?\d)?\d|2[0-4]\d|25[0-5]))|([\da-fA-F]{1,4}(\:[\da-fA-F]{1,4}){7})|(([\da-fA-F]{1,4}:){0,5}::([\da-fA-F]{1,4}:){0,5}[\da-fA-F]{1,4})$ + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + namespace: + type: string + pod: + type: string + required: + - pod + - namespace + type: object + required: + - source + - destination + type: object + status: + properties: + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - networking.antrea.tanzu.vmware.com + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.tanzu.vmware.com + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.tanzu.vmware.com + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.tanzu.vmware.com + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.tanzu.vmware.com + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + verbs: + - get + - watch + - list +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - networking.antrea.tanzu.vmware.com + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - nodes + - pods + - namespaces + - services + verbs: + - get + - watch + - list +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1beta1.networking.antrea.tanzu.vmware.com + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - crdmutator.antrea.tanzu.vmware.com + - crdvalidator.antrea.tanzu.vmware.com + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - tiers + verbs: + - get + - watch + - list + - create + - update +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: antrea + name: antrea-ca + namespace: kube-system +--- +apiVersion: v1 +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the pods reachable externally through NodePort + # NodePortLocal: false + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: false + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + #ovsBridge: br-int + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + #hostGateway: antrea-gw0 + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + #trafficEncapMode: encap + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + #noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + #tunnelType: geneve + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + #defaultMTU: 1450 + + # Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported + # for the GRE tunnel type. + #enableIPSecTunnel: false + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + #serviceCIDR: 10.96.0.0/12 + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + #serviceCIDRv6: + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + #apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp" + # L4 transport protocols. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp" + + # Provide flow poll interval as a duration string. This determines how often the flow exporter dumps connections from the conntrack module. + # Flow poll interval should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #flowPollInterval: "5s" + + # Provide flow export frequency, which is the number of poll cycles elapsed before flow exporter exports flow records to + # the flow collector. + # Flow export frequency should be greater than or equal to 1. + #flowExportFrequency: 12 + + # Enable TLS communication from flow exporter to flow aggregator. + #enableTLSToFlowAggregator: true + + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned + # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), + # and all Node traffic directed to that port will be forwarded to the Pod. + #nplPortRange: 40000-41000 + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + #kubeAPIServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + }, + { + "type": "portmap", + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + #apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the + # antrea-controller container. + #selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: +kind: ConfigMap +metadata: + annotations: {} + labels: + app: antrea + name: antrea-config-md64tc85t9 + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: antrea + name: antrea + namespace: kube-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: api + selector: + app: antrea + component: antrea-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: antrea + component: antrea-controller + name: antrea-controller + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: antrea + component: antrea-controller + strategy: + type: Recreate + template: + metadata: + labels: + app: antrea + component: antrea-controller + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-controller.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v0.13.1 + livenessProbe: + failureThreshold: 5 + httpGet: + host: 127.0.0.1 + path: /livez + port: api + scheme: HTTPS + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-controller + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: 127.0.0.1 + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + volumeMounts: + - mountPath: /etc/antrea/antrea-controller.conf + name: antrea-config + readOnly: true + subPath: antrea-controller.conf + - mountPath: /var/run/antrea/antrea-controller-tls + name: antrea-controller-tls + - mountPath: /var/log/antrea + name: host-var-log-antrea + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: antrea-controller + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - configMap: + name: antrea-config-md64tc85t9 + name: antrea-config + - name: antrea-controller-tls + secret: + defaultMode: 256 + optional: true + secretName: antrea-controller-tls + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.tanzu.vmware.com +spec: + group: stats.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.networking.antrea.tanzu.vmware.com +spec: + group: networking.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.tanzu.vmware.com +spec: + group: system.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: antrea + component: antrea-agent + name: antrea-agent + namespace: kube-system +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + template: + metadata: + labels: + app: antrea + component: antrea-agent + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-agent.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-agent + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v0.13.1 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-agent + ports: + - containerPort: 10350 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: 127.0.0.1 + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + securityContext: + privileged: true + volumeMounts: + - mountPath: /etc/antrea/antrea-agent.conf + name: antrea-config + readOnly: true + subPath: antrea-agent.conf + - mountPath: /var/run/antrea + name: host-var-run-antrea + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/lib/cni + name: host-var-run-antrea + subPath: cni + - mountPath: /var/log/antrea + name: host-var-log-antrea + - mountPath: /host/proc + name: host-proc + readOnly: true + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: host-var-run-netns + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - args: + - --log_file_max_size=100 + - --log_file_max_num=4 + command: + - start_ovs + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v0.13.1 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + name: antrea-ovs + resources: + requests: + cpu: 200m + securityContext: + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + initContainers: + - command: + - install_cni + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v0.13.1 + name: install-cni + resources: + requests: + cpu: 100m + securityContext: + capabilities: + add: + - SYS_MODULE + volumeMounts: + - mountPath: /etc/antrea/antrea-cni.conflist + name: antrea-config + readOnly: true + subPath: antrea-cni.conflist + - mountPath: /host/etc/cni/net.d + name: host-cni-conf + - mountPath: /host/opt/cni/bin + name: host-cni-bin + - mountPath: /lib/modules + name: host-lib-modules + readOnly: true + - mountPath: /var/run/antrea + name: host-var-run-antrea + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + serviceAccountName: antrea-agent + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - configMap: + name: antrea-config-md64tc85t9 + name: antrea-config + - hostPath: + path: /etc/cni/net.d + name: host-cni-conf + - hostPath: + path: /opt/cni/bin + name: host-cni-bin + - hostPath: + path: /proc + name: host-proc + - hostPath: + path: /var/run/netns + name: host-var-run-netns + - hostPath: + path: /var/run/antrea + type: DirectoryOrCreate + name: host-var-run-antrea + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea + - hostPath: + path: /lib/modules + name: host-lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + updateStrategy: + type: RollingUpdate +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - core.antrea.tanzu.vmware.com + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 diff --git a/addons/antrea/1.0.0/Manifest b/addons/antrea/1.0.0/Manifest new file mode 100644 index 0000000000..52f69fe1be --- /dev/null +++ b/addons/antrea/1.0.0/Manifest @@ -0,0 +1,3 @@ +image antrea-ubuntu projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.0 + +asset antctl https://github.com/vmware-tanzu/antrea/releases/download/v1.0.0/antctl-Linux-x86_64 diff --git a/addons/antrea/1.0.0/install.sh b/addons/antrea/1.0.0/install.sh new file mode 100644 index 0000000000..d73c17fc61 --- /dev/null +++ b/addons/antrea/1.0.0/install.sh @@ -0,0 +1,80 @@ + +function antrea_pre_init() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + + POD_CIDR="$ANTREA_POD_CIDR" + POD_CIDR_RANGE="$ANTREA_POD_CIDR_RANGE" + + cp "$src/kubeadm.yaml" "$DIR/kustomize/kubeadm/init-patches/antrea.yaml" + + if commandExists kubectl; then + EXISTING_POD_CIDR=$(kubectl -n kube-system get cm kubeadm-config -oyaml 2>/dev/null | grep podSubnet | awk '{ print $NF }') + fi +} + +function antrea() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + local dst="$DIR/kustomize/antrea" + + if antrea_weave_conflict; then + printf "${YELLOW}Cannot migrate from weave to antrea${NC}\n" + return 0 + fi + + if ! lsmod | grep ip_tables; then + modprobe ip_tables + fi + + cp "$src/kustomization.yaml" "$dst/" + + if [ "$ANTREA_DISABLE_ENCRYPTION" = "1" ]; then + cp "$src/plaintext.yaml" "$dst/" + insert_resources "$dst/kustomization.yaml" plaintext.yaml + else + cp "$src/ipsec.yaml" "$dst/" + insert_resources "$dst/kustomization.yaml" ipsec.yaml + + ANTREA_IPSEC_PSK=$(kubernetes_secret_value kube-system antrea-ipsec psk) + if [ -z "$ANTREA_IPSEC_PSK" ]; then + ANTREA_IPSEC_PSK=$(< /dev/urandom tr -dc A-Za-z0-9 | head -c9) + fi + render_yaml_file "$src/ipsec-psk.yaml" > "$dst/ipsec-psk.yaml" + insert_patches_strategic_merge "$dst/kustomization.yaml" ipsec-psk.yaml + fi + + kubectl apply -k $dst + + antrea_cli + + check_network +} + +function antrea_join() { + if ! lsmod | grep ip_tables; then + modprobe ip_tables + fi + + if kubernetes_is_master; then + antrea_cli + fi +} + +function antrea_cli() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + + if [ ! -f "$src/assets/antctl" ] && [ "$AIRGAP" != "1" ]; then + mkdir -p "$src/assets" + curl -L --fail "https://github.com/vmware-tanzu/antrea/releases/download/v${ANTREA_VERSION}/antctl-Linux-x86_64" > "$src/assets/antctl" + fi + + chmod +x "$src/assets/antctl" + # put it in the same directory as kubectl since that's always on the path + cp "$src/assets/antctl" "$(dirname $(which kubectl))/" +} + +function antrea_weave_conflict() { + if [ -f /etc/cni/net.d/10-weave.conflist ]; then + return 0 + fi + return 1 +} diff --git a/addons/antrea/1.0.0/ipsec-psk.yaml b/addons/antrea/1.0.0/ipsec-psk.yaml new file mode 100644 index 0000000000..8f73207965 --- /dev/null +++ b/addons/antrea/1.0.0/ipsec-psk.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: antrea-ipsec + namespace: kube-system +stringData: + psk: $ANTREA_IPSEC_PSK diff --git a/addons/antrea/1.0.0/ipsec.yaml b/addons/antrea/1.0.0/ipsec.yaml new file mode 100644 index 0000000000..647cfbb3d9 --- /dev/null +++ b/addons/antrea/1.0.0/ipsec.yaml @@ -0,0 +1,3446 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - laai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - aai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - laci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - aci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - lcg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - cg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - acnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - lacnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + properties: + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + required: + - appliedTo + - egressIP + type: object + required: + - spec + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - lee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - lanp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: Tier + plural: tiers + shortNames: + - ltr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - description: Trace live traffic. + jsonPath: .spec.liveTraffic + name: Live-Traffic + priority: 10 + type: boolean + - description: Capture only the dropped packet. + jsonPath: .spec.droppedOnly + name: Dropped-Only + priority: 10 + type: boolean + - description: Timeout in seconds. + jsonPath: .spec.timeout + name: Timeout + priority: 10 + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + droppedOnly: + type: boolean + liveTraffic: + type: boolean + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + namespace: + type: string + pod: + type: string + required: + - pod + - namespace + type: object + timeout: + type: integer + required: + - source + type: object + status: + properties: + capturedPacket: + properties: + dstIP: + type: string + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + length: + type: integer + srcIP: + type: string + transportHeader: + properties: + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.ops.antrea.tanzu.vmware.com +spec: + group: ops.antrea.tanzu.vmware.com + names: + kind: Traceflow + plural: traceflows + shortNames: + - ltf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + namespace: + type: string + pod: + type: string + required: + - pod + - namespace + type: object + required: + - source + type: object + status: + properties: + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - networking.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.tanzu.vmware.com + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + verbs: + - get + - watch + - list +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - networking.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - ops.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-cluster-identity-reader +rules: +- apiGroups: + - "" + resourceNames: + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - nodes + - pods + - namespaces + - services + verbs: + - get + - watch + - list +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1beta1.networking.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - crdmutator.antrea.tanzu.vmware.com + - crdvalidator.antrea.tanzu.vmware.com + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the pods reachable externally through NodePort + # NodePortLocal: false + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + #ovsBridge: br-int + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + #hostGateway: antrea-gw0 + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + #trafficEncapMode: encap + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + #noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + tunnelType: gre + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + #defaultMTU: 0 + + # Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported + # for the GRE tunnel type. + enableIPSecTunnel: true + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + #serviceCIDR: 10.96.0.0/12 + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + #serviceCIDRv6: + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + #apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp" + # L4 transport protocols. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #activeFlowExportTimeout: "60s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #idleFlowExportTimeout: "15s" + + # Enable TLS communication from flow exporter to flow aggregator. + #enableTLSToFlowAggregator: true + + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned + # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), + # and all Node traffic directed to that port will be forwarded to the Pod. + #nplPortRange: 40000-41000 + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + #kubeAPIServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + }, + { + "type": "portmap", + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + #apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the + # antrea-controller container. + #selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + + # If Antrea is upgraded from version <= v0.13 and legacy CRDs are used, this option should be + # enabled, otherwise the CRDs created with the legacy API groups will not take any effect and + # work as expected. When the mirroring is enabled, if a legacy CRD is created with legacy API + # groups, mirroring-controller will create a new CRD with the Spec and Labels from the legacy + # CRD. Afterwards, the modification of Spec and Label in legacy CRD will be synchronized to new + # CRD automatically. In addition, the modification of Status in new CRD will also be synchronized + # to legacy CRD automatically. If a legacy CRD is deleted, the corresponding new CRD will be deleted. + # Note that: to decouple a new CRD from the corresponding legacy CRD, the legacy CRD should be + # annotated with "crd.antrea.io/stop-mirror". Afterwards, updates to the legacy CRDs will no + # longer be reflected in the new CRD, and all CRUD operations should be done through the new + # API groups. After adding the annotation, legacy CRDs can be deleted safely without impacting + # new CRDs. + #legacyCRDMirroring: true +kind: ConfigMap +metadata: + annotations: {} + labels: + app: antrea + name: antrea-config-f57t688chc + namespace: kube-system +--- +apiVersion: v1 +kind: Secret +metadata: + name: antrea-ipsec + namespace: kube-system +stringData: + psk: changeme +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: antrea + name: antrea + namespace: kube-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: api + selector: + app: antrea + component: antrea-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: antrea + component: antrea-controller + name: antrea-controller + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: antrea + component: antrea-controller + strategy: + type: Recreate + template: + metadata: + labels: + app: antrea + component: antrea-controller + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-controller.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.0 + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-controller + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + volumeMounts: + - mountPath: /etc/antrea/antrea-controller.conf + name: antrea-config + readOnly: true + subPath: antrea-controller.conf + - mountPath: /var/run/antrea/antrea-controller-tls + name: antrea-controller-tls + - mountPath: /var/log/antrea + name: host-var-log-antrea + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: antrea-controller + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - configMap: + name: antrea-config-f57t688chc + name: antrea-config + - name: antrea-controller-tls + secret: + defaultMode: 256 + optional: true + secretName: antrea-controller-tls + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.io +spec: + group: stats.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.tanzu.vmware.com +spec: + group: stats.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.networking.antrea.tanzu.vmware.com +spec: + group: networking.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.io +spec: + group: system.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.tanzu.vmware.com +spec: + group: system.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.io +spec: + group: controlplane.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: antrea + component: antrea-agent + name: antrea-agent + namespace: kube-system +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + template: + metadata: + labels: + app: antrea + component: antrea-agent + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-agent.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-agent + env: + - name: ANTREA_IPSEC_PSK + valueFrom: + secretKeyRef: + key: psk + name: antrea-ipsec + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-agent + ports: + - containerPort: 10350 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + securityContext: + privileged: true + volumeMounts: + - mountPath: /etc/antrea/antrea-agent.conf + name: antrea-config + readOnly: true + subPath: antrea-agent.conf + - mountPath: /var/run/antrea + name: host-var-run-antrea + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/lib/cni + name: host-var-run-antrea + subPath: cni + - mountPath: /var/log/antrea + name: host-var-log-antrea + - mountPath: /host/proc + name: host-proc + readOnly: true + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: host-var-run-netns + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - command: + - start_ovs_ipsec + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 5 container_liveness_probe ovs-ipsec + initialDelaySeconds: 5 + periodSeconds: 5 + name: antrea-ipsec + resources: + requests: + cpu: 50m + securityContext: + capabilities: + add: + - NET_ADMIN + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + - mountPath: /var/log/strongswan + name: host-var-log-antrea + subPath: strongswan + - args: + - --log_file_max_size=100 + - --log_file_max_num=4 + command: + - start_ovs + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + name: antrea-ovs + resources: + requests: + cpu: 200m + securityContext: + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + initContainers: + - command: + - install_cni + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.0 + name: install-cni + resources: + requests: + cpu: 100m + securityContext: + capabilities: + add: + - SYS_MODULE + volumeMounts: + - mountPath: /etc/antrea/antrea-cni.conflist + name: antrea-config + readOnly: true + subPath: antrea-cni.conflist + - mountPath: /host/etc/cni/net.d + name: host-cni-conf + - mountPath: /host/opt/cni/bin + name: host-cni-bin + - mountPath: /lib/modules + name: host-lib-modules + readOnly: true + - mountPath: /var/run/antrea + name: host-var-run-antrea + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + serviceAccountName: antrea-agent + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - configMap: + name: antrea-config-f57t688chc + name: antrea-config + - hostPath: + path: /etc/cni/net.d + name: host-cni-conf + - hostPath: + path: /opt/cni/bin + name: host-cni-bin + - hostPath: + path: /proc + name: host-proc + - hostPath: + path: /var/run/netns + name: host-var-run-netns + - hostPath: + path: /var/run/antrea + type: DirectoryOrCreate + name: host-var-run-antrea + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea + - hostPath: + path: /lib/modules + name: host-lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + updateStrategy: + type: RollingUpdate +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - core.antrea.tanzu.vmware.com + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 diff --git a/addons/antrea/1.0.0/kubeadm.yaml b/addons/antrea/1.0.0/kubeadm.yaml new file mode 100644 index 0000000000..5fa4ffb370 --- /dev/null +++ b/addons/antrea/1.0.0/kubeadm.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kubeadm.k8s.io/v1beta2 +kind: ClusterConfiguration +metadata: + name: kubeadm-cluster-configuration +networking: + podSubnet: $POD_CIDR diff --git a/addons/antrea/1.0.0/kustomization.yaml b/addons/antrea/1.0.0/kustomization.yaml new file mode 100644 index 0000000000..2949157786 --- /dev/null +++ b/addons/antrea/1.0.0/kustomization.yaml @@ -0,0 +1 @@ +resources: diff --git a/addons/antrea/1.0.0/plaintext.yaml b/addons/antrea/1.0.0/plaintext.yaml new file mode 100644 index 0000000000..5e133f8720 --- /dev/null +++ b/addons/antrea/1.0.0/plaintext.yaml @@ -0,0 +1,3403 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - laai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - aai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - laci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - aci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - lcg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - cg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - acnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - lacnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + properties: + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + required: + - appliedTo + - egressIP + type: object + required: + - spec + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - lee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - lanp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: Tier + plural: tiers + shortNames: + - ltr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - description: Trace live traffic. + jsonPath: .spec.liveTraffic + name: Live-Traffic + priority: 10 + type: boolean + - description: Capture only the dropped packet. + jsonPath: .spec.droppedOnly + name: Dropped-Only + priority: 10 + type: boolean + - description: Timeout in seconds. + jsonPath: .spec.timeout + name: Timeout + priority: 10 + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + droppedOnly: + type: boolean + liveTraffic: + type: boolean + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + namespace: + type: string + pod: + type: string + required: + - pod + - namespace + type: object + timeout: + type: integer + required: + - source + type: object + status: + properties: + capturedPacket: + properties: + dstIP: + type: string + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + length: + type: integer + srcIP: + type: string + transportHeader: + properties: + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.ops.antrea.tanzu.vmware.com +spec: + group: ops.antrea.tanzu.vmware.com + names: + kind: Traceflow + plural: traceflows + shortNames: + - ltf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + namespace: + type: string + pod: + type: string + required: + - pod + - namespace + type: object + required: + - source + type: object + status: + properties: + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - networking.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.tanzu.vmware.com + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + verbs: + - get + - watch + - list +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - networking.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - ops.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-cluster-identity-reader +rules: +- apiGroups: + - "" + resourceNames: + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - nodes + - pods + - namespaces + - services + verbs: + - get + - watch + - list +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1beta1.networking.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - crdmutator.antrea.tanzu.vmware.com + - crdvalidator.antrea.tanzu.vmware.com + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the pods reachable externally through NodePort + # NodePortLocal: false + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + #ovsBridge: br-int + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + #hostGateway: antrea-gw0 + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + #trafficEncapMode: encap + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + #noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + #tunnelType: geneve + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + #defaultMTU: 0 + + # Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported + # for the GRE tunnel type. + #enableIPSecTunnel: false + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + #serviceCIDR: 10.96.0.0/12 + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + #serviceCIDRv6: + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + #apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp" + # L4 transport protocols. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #activeFlowExportTimeout: "60s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #idleFlowExportTimeout: "15s" + + # Enable TLS communication from flow exporter to flow aggregator. + #enableTLSToFlowAggregator: true + + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned + # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), + # and all Node traffic directed to that port will be forwarded to the Pod. + #nplPortRange: 40000-41000 + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + #kubeAPIServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + }, + { + "type": "portmap", + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + #apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the + # antrea-controller container. + #selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + + # If Antrea is upgraded from version <= v0.13 and legacy CRDs are used, this option should be + # enabled, otherwise the CRDs created with the legacy API groups will not take any effect and + # work as expected. When the mirroring is enabled, if a legacy CRD is created with legacy API + # groups, mirroring-controller will create a new CRD with the Spec and Labels from the legacy + # CRD. Afterwards, the modification of Spec and Label in legacy CRD will be synchronized to new + # CRD automatically. In addition, the modification of Status in new CRD will also be synchronized + # to legacy CRD automatically. If a legacy CRD is deleted, the corresponding new CRD will be deleted. + # Note that: to decouple a new CRD from the corresponding legacy CRD, the legacy CRD should be + # annotated with "crd.antrea.io/stop-mirror". Afterwards, updates to the legacy CRDs will no + # longer be reflected in the new CRD, and all CRUD operations should be done through the new + # API groups. After adding the annotation, legacy CRDs can be deleted safely without impacting + # new CRDs. + #legacyCRDMirroring: true +kind: ConfigMap +metadata: + annotations: {} + labels: + app: antrea + name: antrea-config-5ct9ktdt77 + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: antrea + name: antrea + namespace: kube-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: api + selector: + app: antrea + component: antrea-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: antrea + component: antrea-controller + name: antrea-controller + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: antrea + component: antrea-controller + strategy: + type: Recreate + template: + metadata: + labels: + app: antrea + component: antrea-controller + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-controller.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.0 + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-controller + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + volumeMounts: + - mountPath: /etc/antrea/antrea-controller.conf + name: antrea-config + readOnly: true + subPath: antrea-controller.conf + - mountPath: /var/run/antrea/antrea-controller-tls + name: antrea-controller-tls + - mountPath: /var/log/antrea + name: host-var-log-antrea + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: antrea-controller + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - configMap: + name: antrea-config-5ct9ktdt77 + name: antrea-config + - name: antrea-controller-tls + secret: + defaultMode: 256 + optional: true + secretName: antrea-controller-tls + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.io +spec: + group: stats.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.tanzu.vmware.com +spec: + group: stats.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.networking.antrea.tanzu.vmware.com +spec: + group: networking.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.io +spec: + group: system.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.tanzu.vmware.com +spec: + group: system.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.io +spec: + group: controlplane.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: antrea + component: antrea-agent + name: antrea-agent + namespace: kube-system +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + template: + metadata: + labels: + app: antrea + component: antrea-agent + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-agent.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-agent + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-agent + ports: + - containerPort: 10350 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + securityContext: + privileged: true + volumeMounts: + - mountPath: /etc/antrea/antrea-agent.conf + name: antrea-config + readOnly: true + subPath: antrea-agent.conf + - mountPath: /var/run/antrea + name: host-var-run-antrea + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/lib/cni + name: host-var-run-antrea + subPath: cni + - mountPath: /var/log/antrea + name: host-var-log-antrea + - mountPath: /host/proc + name: host-proc + readOnly: true + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: host-var-run-netns + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - args: + - --log_file_max_size=100 + - --log_file_max_num=4 + command: + - start_ovs + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + name: antrea-ovs + resources: + requests: + cpu: 200m + securityContext: + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + initContainers: + - command: + - install_cni + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.0 + name: install-cni + resources: + requests: + cpu: 100m + securityContext: + capabilities: + add: + - SYS_MODULE + volumeMounts: + - mountPath: /etc/antrea/antrea-cni.conflist + name: antrea-config + readOnly: true + subPath: antrea-cni.conflist + - mountPath: /host/etc/cni/net.d + name: host-cni-conf + - mountPath: /host/opt/cni/bin + name: host-cni-bin + - mountPath: /lib/modules + name: host-lib-modules + readOnly: true + - mountPath: /var/run/antrea + name: host-var-run-antrea + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + serviceAccountName: antrea-agent + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - configMap: + name: antrea-config-5ct9ktdt77 + name: antrea-config + - hostPath: + path: /etc/cni/net.d + name: host-cni-conf + - hostPath: + path: /opt/cni/bin + name: host-cni-bin + - hostPath: + path: /proc + name: host-proc + - hostPath: + path: /var/run/netns + name: host-var-run-netns + - hostPath: + path: /var/run/antrea + type: DirectoryOrCreate + name: host-var-run-antrea + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea + - hostPath: + path: /lib/modules + name: host-lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + updateStrategy: + type: RollingUpdate +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - core.antrea.tanzu.vmware.com + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 diff --git a/addons/antrea/1.0.1/Manifest b/addons/antrea/1.0.1/Manifest new file mode 100644 index 0000000000..670fd9bce4 --- /dev/null +++ b/addons/antrea/1.0.1/Manifest @@ -0,0 +1,3 @@ +image antrea-ubuntu projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.1 + +asset antctl https://github.com/vmware-tanzu/antrea/releases/download/v1.0.1/antctl-Linux-x86_64 diff --git a/addons/antrea/1.0.1/install.sh b/addons/antrea/1.0.1/install.sh new file mode 100644 index 0000000000..d73c17fc61 --- /dev/null +++ b/addons/antrea/1.0.1/install.sh @@ -0,0 +1,80 @@ + +function antrea_pre_init() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + + POD_CIDR="$ANTREA_POD_CIDR" + POD_CIDR_RANGE="$ANTREA_POD_CIDR_RANGE" + + cp "$src/kubeadm.yaml" "$DIR/kustomize/kubeadm/init-patches/antrea.yaml" + + if commandExists kubectl; then + EXISTING_POD_CIDR=$(kubectl -n kube-system get cm kubeadm-config -oyaml 2>/dev/null | grep podSubnet | awk '{ print $NF }') + fi +} + +function antrea() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + local dst="$DIR/kustomize/antrea" + + if antrea_weave_conflict; then + printf "${YELLOW}Cannot migrate from weave to antrea${NC}\n" + return 0 + fi + + if ! lsmod | grep ip_tables; then + modprobe ip_tables + fi + + cp "$src/kustomization.yaml" "$dst/" + + if [ "$ANTREA_DISABLE_ENCRYPTION" = "1" ]; then + cp "$src/plaintext.yaml" "$dst/" + insert_resources "$dst/kustomization.yaml" plaintext.yaml + else + cp "$src/ipsec.yaml" "$dst/" + insert_resources "$dst/kustomization.yaml" ipsec.yaml + + ANTREA_IPSEC_PSK=$(kubernetes_secret_value kube-system antrea-ipsec psk) + if [ -z "$ANTREA_IPSEC_PSK" ]; then + ANTREA_IPSEC_PSK=$(< /dev/urandom tr -dc A-Za-z0-9 | head -c9) + fi + render_yaml_file "$src/ipsec-psk.yaml" > "$dst/ipsec-psk.yaml" + insert_patches_strategic_merge "$dst/kustomization.yaml" ipsec-psk.yaml + fi + + kubectl apply -k $dst + + antrea_cli + + check_network +} + +function antrea_join() { + if ! lsmod | grep ip_tables; then + modprobe ip_tables + fi + + if kubernetes_is_master; then + antrea_cli + fi +} + +function antrea_cli() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + + if [ ! -f "$src/assets/antctl" ] && [ "$AIRGAP" != "1" ]; then + mkdir -p "$src/assets" + curl -L --fail "https://github.com/vmware-tanzu/antrea/releases/download/v${ANTREA_VERSION}/antctl-Linux-x86_64" > "$src/assets/antctl" + fi + + chmod +x "$src/assets/antctl" + # put it in the same directory as kubectl since that's always on the path + cp "$src/assets/antctl" "$(dirname $(which kubectl))/" +} + +function antrea_weave_conflict() { + if [ -f /etc/cni/net.d/10-weave.conflist ]; then + return 0 + fi + return 1 +} diff --git a/addons/antrea/1.0.1/ipsec-psk.yaml b/addons/antrea/1.0.1/ipsec-psk.yaml new file mode 100644 index 0000000000..8f73207965 --- /dev/null +++ b/addons/antrea/1.0.1/ipsec-psk.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: antrea-ipsec + namespace: kube-system +stringData: + psk: $ANTREA_IPSEC_PSK diff --git a/addons/antrea/1.0.1/ipsec.yaml b/addons/antrea/1.0.1/ipsec.yaml new file mode 100644 index 0000000000..6e400a147a --- /dev/null +++ b/addons/antrea/1.0.1/ipsec.yaml @@ -0,0 +1,3446 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - laai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - aai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - laci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - aci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - lcg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - cg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - acnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - lacnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + properties: + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + required: + - appliedTo + - egressIP + type: object + required: + - spec + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - lee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - lanp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: Tier + plural: tiers + shortNames: + - ltr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - description: Trace live traffic. + jsonPath: .spec.liveTraffic + name: Live-Traffic + priority: 10 + type: boolean + - description: Capture only the dropped packet. + jsonPath: .spec.droppedOnly + name: Dropped-Only + priority: 10 + type: boolean + - description: Timeout in seconds. + jsonPath: .spec.timeout + name: Timeout + priority: 10 + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + droppedOnly: + type: boolean + liveTraffic: + type: boolean + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + namespace: + type: string + pod: + type: string + required: + - pod + - namespace + type: object + timeout: + type: integer + required: + - source + type: object + status: + properties: + capturedPacket: + properties: + dstIP: + type: string + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + length: + type: integer + srcIP: + type: string + transportHeader: + properties: + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.ops.antrea.tanzu.vmware.com +spec: + group: ops.antrea.tanzu.vmware.com + names: + kind: Traceflow + plural: traceflows + shortNames: + - ltf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + namespace: + type: string + pod: + type: string + required: + - pod + - namespace + type: object + required: + - source + type: object + status: + properties: + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - networking.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.tanzu.vmware.com + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + verbs: + - get + - watch + - list +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - networking.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - ops.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-cluster-identity-reader +rules: +- apiGroups: + - "" + resourceNames: + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - nodes + - pods + - namespaces + - services + verbs: + - get + - watch + - list +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1beta1.networking.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - crdmutator.antrea.tanzu.vmware.com + - crdvalidator.antrea.tanzu.vmware.com + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the pods reachable externally through NodePort + # NodePortLocal: false + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + #ovsBridge: br-int + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + #hostGateway: antrea-gw0 + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + #trafficEncapMode: encap + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + #noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + tunnelType: gre + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + #defaultMTU: 0 + + # Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported + # for the GRE tunnel type. + enableIPSecTunnel: true + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + #serviceCIDR: 10.96.0.0/12 + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + #serviceCIDRv6: + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + #apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp" + # L4 transport protocols. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #activeFlowExportTimeout: "60s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #idleFlowExportTimeout: "15s" + + # Enable TLS communication from flow exporter to flow aggregator. + #enableTLSToFlowAggregator: true + + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned + # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), + # and all Node traffic directed to that port will be forwarded to the Pod. + #nplPortRange: 40000-41000 + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + #kubeAPIServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + }, + { + "type": "portmap", + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + #apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the + # antrea-controller container. + #selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + + # If Antrea is upgraded from version <= v0.13 and legacy CRDs are used, this option should be + # enabled, otherwise the CRDs created with the legacy API groups will not take any effect and + # work as expected. When the mirroring is enabled, if a legacy CRD is created with legacy API + # groups, mirroring-controller will create a new CRD with the Spec and Labels from the legacy + # CRD. Afterwards, the modification of Spec and Label in legacy CRD will be synchronized to new + # CRD automatically. In addition, the modification of Status in new CRD will also be synchronized + # to legacy CRD automatically. If a legacy CRD is deleted, the corresponding new CRD will be deleted. + # Note that: to decouple a new CRD from the corresponding legacy CRD, the legacy CRD should be + # annotated with "crd.antrea.io/stop-mirror". Afterwards, updates to the legacy CRDs will no + # longer be reflected in the new CRD, and all CRUD operations should be done through the new + # API groups. After adding the annotation, legacy CRDs can be deleted safely without impacting + # new CRDs. + #legacyCRDMirroring: true +kind: ConfigMap +metadata: + annotations: {} + labels: + app: antrea + name: antrea-config-f57t688chc + namespace: kube-system +--- +apiVersion: v1 +kind: Secret +metadata: + name: antrea-ipsec + namespace: kube-system +stringData: + psk: changeme +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: antrea + name: antrea + namespace: kube-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: api + selector: + app: antrea + component: antrea-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: antrea + component: antrea-controller + name: antrea-controller + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: antrea + component: antrea-controller + strategy: + type: Recreate + template: + metadata: + labels: + app: antrea + component: antrea-controller + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-controller.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.1 + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-controller + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + volumeMounts: + - mountPath: /etc/antrea/antrea-controller.conf + name: antrea-config + readOnly: true + subPath: antrea-controller.conf + - mountPath: /var/run/antrea/antrea-controller-tls + name: antrea-controller-tls + - mountPath: /var/log/antrea + name: host-var-log-antrea + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: antrea-controller + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - configMap: + name: antrea-config-f57t688chc + name: antrea-config + - name: antrea-controller-tls + secret: + defaultMode: 256 + optional: true + secretName: antrea-controller-tls + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.io +spec: + group: stats.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.tanzu.vmware.com +spec: + group: stats.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.networking.antrea.tanzu.vmware.com +spec: + group: networking.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.io +spec: + group: system.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.tanzu.vmware.com +spec: + group: system.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.io +spec: + group: controlplane.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: antrea + component: antrea-agent + name: antrea-agent + namespace: kube-system +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + template: + metadata: + labels: + app: antrea + component: antrea-agent + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-agent.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-agent + env: + - name: ANTREA_IPSEC_PSK + valueFrom: + secretKeyRef: + key: psk + name: antrea-ipsec + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.1 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-agent + ports: + - containerPort: 10350 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + securityContext: + privileged: true + volumeMounts: + - mountPath: /etc/antrea/antrea-agent.conf + name: antrea-config + readOnly: true + subPath: antrea-agent.conf + - mountPath: /var/run/antrea + name: host-var-run-antrea + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/lib/cni + name: host-var-run-antrea + subPath: cni + - mountPath: /var/log/antrea + name: host-var-log-antrea + - mountPath: /host/proc + name: host-proc + readOnly: true + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: host-var-run-netns + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - command: + - start_ovs_ipsec + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.1 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 5 container_liveness_probe ovs-ipsec + initialDelaySeconds: 5 + periodSeconds: 5 + name: antrea-ipsec + resources: + requests: + cpu: 50m + securityContext: + capabilities: + add: + - NET_ADMIN + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + - mountPath: /var/log/strongswan + name: host-var-log-antrea + subPath: strongswan + - args: + - --log_file_max_size=100 + - --log_file_max_num=4 + command: + - start_ovs + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.1 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + name: antrea-ovs + resources: + requests: + cpu: 200m + securityContext: + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + initContainers: + - command: + - install_cni + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.1 + name: install-cni + resources: + requests: + cpu: 100m + securityContext: + capabilities: + add: + - SYS_MODULE + volumeMounts: + - mountPath: /etc/antrea/antrea-cni.conflist + name: antrea-config + readOnly: true + subPath: antrea-cni.conflist + - mountPath: /host/etc/cni/net.d + name: host-cni-conf + - mountPath: /host/opt/cni/bin + name: host-cni-bin + - mountPath: /lib/modules + name: host-lib-modules + readOnly: true + - mountPath: /var/run/antrea + name: host-var-run-antrea + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + serviceAccountName: antrea-agent + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - configMap: + name: antrea-config-f57t688chc + name: antrea-config + - hostPath: + path: /etc/cni/net.d + name: host-cni-conf + - hostPath: + path: /opt/cni/bin + name: host-cni-bin + - hostPath: + path: /proc + name: host-proc + - hostPath: + path: /var/run/netns + name: host-var-run-netns + - hostPath: + path: /var/run/antrea + type: DirectoryOrCreate + name: host-var-run-antrea + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea + - hostPath: + path: /lib/modules + name: host-lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + updateStrategy: + type: RollingUpdate +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - core.antrea.tanzu.vmware.com + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 diff --git a/addons/antrea/1.0.1/kubeadm.yaml b/addons/antrea/1.0.1/kubeadm.yaml new file mode 100644 index 0000000000..5fa4ffb370 --- /dev/null +++ b/addons/antrea/1.0.1/kubeadm.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kubeadm.k8s.io/v1beta2 +kind: ClusterConfiguration +metadata: + name: kubeadm-cluster-configuration +networking: + podSubnet: $POD_CIDR diff --git a/addons/antrea/1.0.1/kustomization.yaml b/addons/antrea/1.0.1/kustomization.yaml new file mode 100644 index 0000000000..2949157786 --- /dev/null +++ b/addons/antrea/1.0.1/kustomization.yaml @@ -0,0 +1 @@ +resources: diff --git a/addons/antrea/1.0.1/plaintext.yaml b/addons/antrea/1.0.1/plaintext.yaml new file mode 100644 index 0000000000..c55d8eef53 --- /dev/null +++ b/addons/antrea/1.0.1/plaintext.yaml @@ -0,0 +1,3403 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - laai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - aai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - laci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - aci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - lcg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - cg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - acnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - lacnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + properties: + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + required: + - appliedTo + - egressIP + type: object + required: + - spec + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - lee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - lanp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + x-kubernetes-preserve-unknown-fields: true + podSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: Tier + plural: tiers + shortNames: + - ltr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - description: Trace live traffic. + jsonPath: .spec.liveTraffic + name: Live-Traffic + priority: 10 + type: boolean + - description: Capture only the dropped packet. + jsonPath: .spec.droppedOnly + name: Dropped-Only + priority: 10 + type: boolean + - description: Timeout in seconds. + jsonPath: .spec.timeout + name: Timeout + priority: 10 + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + droppedOnly: + type: boolean + liveTraffic: + type: boolean + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + namespace: + type: string + pod: + type: string + required: + - pod + - namespace + type: object + timeout: + type: integer + required: + - source + type: object + status: + properties: + capturedPacket: + properties: + dstIP: + type: string + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + length: + type: integer + srcIP: + type: string + transportHeader: + properties: + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.ops.antrea.tanzu.vmware.com +spec: + group: ops.antrea.tanzu.vmware.com + names: + kind: Traceflow + plural: traceflows + shortNames: + - ltf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + namespace: + type: string + pod: + type: string + required: + - pod + - namespace + type: object + required: + - source + type: object + status: + properties: + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - networking.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.tanzu.vmware.com + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + verbs: + - get + - watch + - list +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - networking.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - ops.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-cluster-identity-reader +rules: +- apiGroups: + - "" + resourceNames: + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - nodes + - pods + - namespaces + - services + verbs: + - get + - watch + - list +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1beta1.networking.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - crdmutator.antrea.tanzu.vmware.com + - crdvalidator.antrea.tanzu.vmware.com + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the pods reachable externally through NodePort + # NodePortLocal: false + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + #ovsBridge: br-int + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + #hostGateway: antrea-gw0 + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + #trafficEncapMode: encap + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + #noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + #tunnelType: geneve + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + #defaultMTU: 0 + + # Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported + # for the GRE tunnel type. + #enableIPSecTunnel: false + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + #serviceCIDR: 10.96.0.0/12 + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + #serviceCIDRv6: + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + #apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp" + # L4 transport protocols. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #activeFlowExportTimeout: "60s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #idleFlowExportTimeout: "15s" + + # Enable TLS communication from flow exporter to flow aggregator. + #enableTLSToFlowAggregator: true + + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned + # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), + # and all Node traffic directed to that port will be forwarded to the Pod. + #nplPortRange: 40000-41000 + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + #kubeAPIServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + }, + { + "type": "portmap", + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + #apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the + # antrea-controller container. + #selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + + # If Antrea is upgraded from version <= v0.13 and legacy CRDs are used, this option should be + # enabled, otherwise the CRDs created with the legacy API groups will not take any effect and + # work as expected. When the mirroring is enabled, if a legacy CRD is created with legacy API + # groups, mirroring-controller will create a new CRD with the Spec and Labels from the legacy + # CRD. Afterwards, the modification of Spec and Label in legacy CRD will be synchronized to new + # CRD automatically. In addition, the modification of Status in new CRD will also be synchronized + # to legacy CRD automatically. If a legacy CRD is deleted, the corresponding new CRD will be deleted. + # Note that: to decouple a new CRD from the corresponding legacy CRD, the legacy CRD should be + # annotated with "crd.antrea.io/stop-mirror". Afterwards, updates to the legacy CRDs will no + # longer be reflected in the new CRD, and all CRUD operations should be done through the new + # API groups. After adding the annotation, legacy CRDs can be deleted safely without impacting + # new CRDs. + #legacyCRDMirroring: true +kind: ConfigMap +metadata: + annotations: {} + labels: + app: antrea + name: antrea-config-5ct9ktdt77 + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: antrea + name: antrea + namespace: kube-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: api + selector: + app: antrea + component: antrea-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: antrea + component: antrea-controller + name: antrea-controller + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: antrea + component: antrea-controller + strategy: + type: Recreate + template: + metadata: + labels: + app: antrea + component: antrea-controller + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-controller.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.1 + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-controller + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + volumeMounts: + - mountPath: /etc/antrea/antrea-controller.conf + name: antrea-config + readOnly: true + subPath: antrea-controller.conf + - mountPath: /var/run/antrea/antrea-controller-tls + name: antrea-controller-tls + - mountPath: /var/log/antrea + name: host-var-log-antrea + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: antrea-controller + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - configMap: + name: antrea-config-5ct9ktdt77 + name: antrea-config + - name: antrea-controller-tls + secret: + defaultMode: 256 + optional: true + secretName: antrea-controller-tls + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.io +spec: + group: stats.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.tanzu.vmware.com +spec: + group: stats.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.networking.antrea.tanzu.vmware.com +spec: + group: networking.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.io +spec: + group: system.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.tanzu.vmware.com +spec: + group: system.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.io +spec: + group: controlplane.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: antrea + component: antrea-agent + name: antrea-agent + namespace: kube-system +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + template: + metadata: + labels: + app: antrea + component: antrea-agent + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-agent.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-agent + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.1 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-agent + ports: + - containerPort: 10350 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + securityContext: + privileged: true + volumeMounts: + - mountPath: /etc/antrea/antrea-agent.conf + name: antrea-config + readOnly: true + subPath: antrea-agent.conf + - mountPath: /var/run/antrea + name: host-var-run-antrea + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/lib/cni + name: host-var-run-antrea + subPath: cni + - mountPath: /var/log/antrea + name: host-var-log-antrea + - mountPath: /host/proc + name: host-proc + readOnly: true + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: host-var-run-netns + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - args: + - --log_file_max_size=100 + - --log_file_max_num=4 + command: + - start_ovs + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.1 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + name: antrea-ovs + resources: + requests: + cpu: 200m + securityContext: + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + initContainers: + - command: + - install_cni + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.0.1 + name: install-cni + resources: + requests: + cpu: 100m + securityContext: + capabilities: + add: + - SYS_MODULE + volumeMounts: + - mountPath: /etc/antrea/antrea-cni.conflist + name: antrea-config + readOnly: true + subPath: antrea-cni.conflist + - mountPath: /host/etc/cni/net.d + name: host-cni-conf + - mountPath: /host/opt/cni/bin + name: host-cni-bin + - mountPath: /lib/modules + name: host-lib-modules + readOnly: true + - mountPath: /var/run/antrea + name: host-var-run-antrea + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + serviceAccountName: antrea-agent + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - configMap: + name: antrea-config-5ct9ktdt77 + name: antrea-config + - hostPath: + path: /etc/cni/net.d + name: host-cni-conf + - hostPath: + path: /opt/cni/bin + name: host-cni-bin + - hostPath: + path: /proc + name: host-proc + - hostPath: + path: /var/run/netns + name: host-var-run-netns + - hostPath: + path: /var/run/antrea + type: DirectoryOrCreate + name: host-var-run-antrea + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea + - hostPath: + path: /lib/modules + name: host-lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + updateStrategy: + type: RollingUpdate +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - core.antrea.tanzu.vmware.com + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 diff --git a/addons/antrea/1.1.0/Manifest b/addons/antrea/1.1.0/Manifest new file mode 100644 index 0000000000..d74cff80f6 --- /dev/null +++ b/addons/antrea/1.1.0/Manifest @@ -0,0 +1,3 @@ +image antrea-ubuntu projects.registry.vmware.com/antrea/antrea-ubuntu:v1.1.0 + +asset antctl https://github.com/vmware-tanzu/antrea/releases/download/v1.1.0/antctl-Linux-x86_64 diff --git a/addons/antrea/1.1.0/install.sh b/addons/antrea/1.1.0/install.sh new file mode 100644 index 0000000000..d73c17fc61 --- /dev/null +++ b/addons/antrea/1.1.0/install.sh @@ -0,0 +1,80 @@ + +function antrea_pre_init() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + + POD_CIDR="$ANTREA_POD_CIDR" + POD_CIDR_RANGE="$ANTREA_POD_CIDR_RANGE" + + cp "$src/kubeadm.yaml" "$DIR/kustomize/kubeadm/init-patches/antrea.yaml" + + if commandExists kubectl; then + EXISTING_POD_CIDR=$(kubectl -n kube-system get cm kubeadm-config -oyaml 2>/dev/null | grep podSubnet | awk '{ print $NF }') + fi +} + +function antrea() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + local dst="$DIR/kustomize/antrea" + + if antrea_weave_conflict; then + printf "${YELLOW}Cannot migrate from weave to antrea${NC}\n" + return 0 + fi + + if ! lsmod | grep ip_tables; then + modprobe ip_tables + fi + + cp "$src/kustomization.yaml" "$dst/" + + if [ "$ANTREA_DISABLE_ENCRYPTION" = "1" ]; then + cp "$src/plaintext.yaml" "$dst/" + insert_resources "$dst/kustomization.yaml" plaintext.yaml + else + cp "$src/ipsec.yaml" "$dst/" + insert_resources "$dst/kustomization.yaml" ipsec.yaml + + ANTREA_IPSEC_PSK=$(kubernetes_secret_value kube-system antrea-ipsec psk) + if [ -z "$ANTREA_IPSEC_PSK" ]; then + ANTREA_IPSEC_PSK=$(< /dev/urandom tr -dc A-Za-z0-9 | head -c9) + fi + render_yaml_file "$src/ipsec-psk.yaml" > "$dst/ipsec-psk.yaml" + insert_patches_strategic_merge "$dst/kustomization.yaml" ipsec-psk.yaml + fi + + kubectl apply -k $dst + + antrea_cli + + check_network +} + +function antrea_join() { + if ! lsmod | grep ip_tables; then + modprobe ip_tables + fi + + if kubernetes_is_master; then + antrea_cli + fi +} + +function antrea_cli() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + + if [ ! -f "$src/assets/antctl" ] && [ "$AIRGAP" != "1" ]; then + mkdir -p "$src/assets" + curl -L --fail "https://github.com/vmware-tanzu/antrea/releases/download/v${ANTREA_VERSION}/antctl-Linux-x86_64" > "$src/assets/antctl" + fi + + chmod +x "$src/assets/antctl" + # put it in the same directory as kubectl since that's always on the path + cp "$src/assets/antctl" "$(dirname $(which kubectl))/" +} + +function antrea_weave_conflict() { + if [ -f /etc/cni/net.d/10-weave.conflist ]; then + return 0 + fi + return 1 +} diff --git a/addons/antrea/1.1.0/ipsec-psk.yaml b/addons/antrea/1.1.0/ipsec-psk.yaml new file mode 100644 index 0000000000..8f73207965 --- /dev/null +++ b/addons/antrea/1.1.0/ipsec-psk.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: antrea-ipsec + namespace: kube-system +stringData: + psk: $ANTREA_IPSEC_PSK diff --git a/addons/antrea/1.1.0/ipsec.yaml b/addons/antrea/1.1.0/ipsec.yaml new file mode 100644 index 0000000000..5fdecbe0cf --- /dev/null +++ b/addons/antrea/1.1.0/ipsec.yaml @@ -0,0 +1,4569 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - laai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - aai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - laci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - aci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - lcg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.crd.antrea.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/clustergroup + conversionReviewVersions: + - v1 + - v1beta1 + group: crd.antrea.io + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - cg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: false + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - acnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - lacnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + required: + - appliedTo + - egressIP + type: object + required: + - spec + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - lee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - lanp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: Tier + plural: tiers + shortNames: + - ltr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - description: Trace live traffic. + jsonPath: .spec.liveTraffic + name: Live-Traffic + priority: 10 + type: boolean + - description: Capture only the dropped packet. + jsonPath: .spec.droppedOnly + name: Dropped-Only + priority: 10 + type: boolean + - description: Timeout in seconds. + jsonPath: .spec.timeout + name: Timeout + priority: 10 + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + droppedOnly: + type: boolean + liveTraffic: + type: boolean + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + type: object + timeout: + type: integer + type: object + status: + properties: + capturedPacket: + properties: + dstIP: + type: string + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + length: + type: integer + srcIP: + type: string + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.ops.antrea.tanzu.vmware.com +spec: + group: ops.antrea.tanzu.vmware.com + names: + kind: Traceflow + plural: traceflows + shortNames: + - ltf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + namespace: + type: string + pod: + type: string + required: + - pod + - namespace + type: object + required: + - source + type: object + status: + properties: + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - networking.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.tanzu.vmware.com + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + verbs: + - get + - watch + - list +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - networking.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - ops.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-cluster-identity-reader +rules: +- apiGroups: + - "" + resourceNames: + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - nodes + - pods + - namespaces + - services + verbs: + - get + - watch + - list +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1beta1.networking.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - crdmutator.antrea.tanzu.vmware.com + - crdvalidator.antrea.tanzu.vmware.com + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the pods reachable externally through NodePort + # NodePortLocal: false + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + #ovsBridge: br-int + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + #hostGateway: antrea-gw0 + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + #trafficEncapMode: encap + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + #noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + tunnelType: gre + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + #defaultMTU: 0 + + # Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported + # for the GRE tunnel type. + enableIPSecTunnel: true + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + #serviceCIDR: 10.96.0.0/12 + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + #serviceCIDRv6: + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + #apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #activeFlowExportTimeout: "30s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #idleFlowExportTimeout: "15s" + + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned + # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), + # and all Node traffic directed to that port will be forwarded to the Pod. + #nplPortRange: 40000-41000 + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + #kubeAPIServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + }, + { + "type": "portmap", + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + #apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the + # antrea-controller container. + #selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + + # If Antrea is upgraded from version <= v0.13 and legacy CRDs are used, this option should be + # enabled, otherwise the CRDs created with the legacy API groups will not take any effect and + # work as expected. When the mirroring is enabled, if a legacy CRD is created with legacy API + # groups, mirroring-controller will create a new CRD with the Spec and Labels from the legacy + # CRD. Afterwards, the modification of Spec and Label in legacy CRD will be synchronized to new + # CRD automatically. In addition, the modification of Status in new CRD will also be synchronized + # to legacy CRD automatically. If a legacy CRD is deleted, the corresponding new CRD will be deleted. + # Note that: to decouple a new CRD from the corresponding legacy CRD, the legacy CRD should be + # annotated with "crd.antrea.io/stop-mirror". Afterwards, updates to the legacy CRDs will no + # longer be reflected in the new CRD, and all CRUD operations should be done through the new + # API groups. After adding the annotation, legacy CRDs can be deleted safely without impacting + # new CRDs. + #legacyCRDMirroring: true +kind: ConfigMap +metadata: + annotations: {} + labels: + app: antrea + name: antrea-config-h5kbhh859d + namespace: kube-system +--- +apiVersion: v1 +kind: Secret +metadata: + name: antrea-ipsec + namespace: kube-system +stringData: + psk: changeme +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: antrea + name: antrea + namespace: kube-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: api + selector: + app: antrea + component: antrea-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: antrea + component: antrea-controller + name: antrea-controller + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: antrea + component: antrea-controller + strategy: + type: Recreate + template: + metadata: + labels: + app: antrea + component: antrea-controller + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-controller.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.1.0 + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-controller + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + volumeMounts: + - mountPath: /etc/antrea/antrea-controller.conf + name: antrea-config + readOnly: true + subPath: antrea-controller.conf + - mountPath: /var/run/antrea/antrea-controller-tls + name: antrea-controller-tls + - mountPath: /var/log/antrea + name: host-var-log-antrea + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: antrea-controller + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - configMap: + name: antrea-config-h5kbhh859d + name: antrea-config + - name: antrea-controller-tls + secret: + defaultMode: 256 + optional: true + secretName: antrea-controller-tls + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.io +spec: + group: stats.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.tanzu.vmware.com +spec: + group: stats.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.networking.antrea.tanzu.vmware.com +spec: + group: networking.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.io +spec: + group: system.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.tanzu.vmware.com +spec: + group: system.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.io +spec: + group: controlplane.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: antrea + component: antrea-agent + name: antrea-agent + namespace: kube-system +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: antrea-agent + labels: + app: antrea + component: antrea-agent + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-agent.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-agent + env: + - name: ANTREA_IPSEC_PSK + valueFrom: + secretKeyRef: + key: psk + name: antrea-ipsec + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.1.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-agent + ports: + - containerPort: 10350 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + securityContext: + privileged: true + volumeMounts: + - mountPath: /etc/antrea/antrea-agent.conf + name: antrea-config + readOnly: true + subPath: antrea-agent.conf + - mountPath: /var/run/antrea + name: host-var-run-antrea + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/lib/cni + name: host-var-run-antrea + subPath: cni + - mountPath: /var/log/antrea + name: host-var-log-antrea + - mountPath: /host/proc + name: host-proc + readOnly: true + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: host-var-run-netns + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - command: + - start_ovs_ipsec + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.1.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 5 container_liveness_probe ovs-ipsec + initialDelaySeconds: 5 + periodSeconds: 5 + name: antrea-ipsec + resources: + requests: + cpu: 50m + securityContext: + capabilities: + add: + - NET_ADMIN + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + - mountPath: /var/log/strongswan + name: host-var-log-antrea + subPath: strongswan + - args: + - --log_file_max_size=100 + - --log_file_max_num=4 + command: + - start_ovs + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.1.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + name: antrea-ovs + resources: + requests: + cpu: 200m + securityContext: + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + initContainers: + - command: + - install_cni + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.1.0 + name: install-cni + resources: + requests: + cpu: 100m + securityContext: + capabilities: + add: + - SYS_MODULE + volumeMounts: + - mountPath: /etc/antrea/antrea-cni.conflist + name: antrea-config + readOnly: true + subPath: antrea-cni.conflist + - mountPath: /host/etc/cni/net.d + name: host-cni-conf + - mountPath: /host/opt/cni/bin + name: host-cni-bin + - mountPath: /lib/modules + name: host-lib-modules + readOnly: true + - mountPath: /var/run/antrea + name: host-var-run-antrea + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + serviceAccountName: antrea-agent + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - configMap: + name: antrea-config-h5kbhh859d + name: antrea-config + - hostPath: + path: /etc/cni/net.d + name: host-cni-conf + - hostPath: + path: /opt/cni/bin + name: host-cni-bin + - hostPath: + path: /proc + name: host-proc + - hostPath: + path: /var/run/netns + name: host-var-run-netns + - hostPath: + path: /var/run/antrea + type: DirectoryOrCreate + name: host-var-run-antrea + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea + - hostPath: + path: /lib/modules + name: host-lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + updateStrategy: + type: RollingUpdate +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha3 + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - core.antrea.tanzu.vmware.com + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 diff --git a/addons/antrea/1.1.0/kubeadm.yaml b/addons/antrea/1.1.0/kubeadm.yaml new file mode 100644 index 0000000000..5fa4ffb370 --- /dev/null +++ b/addons/antrea/1.1.0/kubeadm.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kubeadm.k8s.io/v1beta2 +kind: ClusterConfiguration +metadata: + name: kubeadm-cluster-configuration +networking: + podSubnet: $POD_CIDR diff --git a/addons/antrea/1.1.0/kustomization.yaml b/addons/antrea/1.1.0/kustomization.yaml new file mode 100644 index 0000000000..2949157786 --- /dev/null +++ b/addons/antrea/1.1.0/kustomization.yaml @@ -0,0 +1 @@ +resources: diff --git a/addons/antrea/1.1.0/plaintext.yaml b/addons/antrea/1.1.0/plaintext.yaml new file mode 100644 index 0000000000..1e4d4d5b2a --- /dev/null +++ b/addons/antrea/1.1.0/plaintext.yaml @@ -0,0 +1,4526 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - laai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - aai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - laci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - aci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - lcg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.crd.antrea.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/clustergroup + conversionReviewVersions: + - v1 + - v1beta1 + group: crd.antrea.io + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - cg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: false + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - acnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - lacnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + required: + - appliedTo + - egressIP + type: object + required: + - spec + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - lee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - lanp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: Tier + plural: tiers + shortNames: + - ltr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - description: Trace live traffic. + jsonPath: .spec.liveTraffic + name: Live-Traffic + priority: 10 + type: boolean + - description: Capture only the dropped packet. + jsonPath: .spec.droppedOnly + name: Dropped-Only + priority: 10 + type: boolean + - description: Timeout in seconds. + jsonPath: .spec.timeout + name: Timeout + priority: 10 + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + droppedOnly: + type: boolean + liveTraffic: + type: boolean + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + type: object + timeout: + type: integer + type: object + status: + properties: + capturedPacket: + properties: + dstIP: + type: string + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + length: + type: integer + srcIP: + type: string + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.ops.antrea.tanzu.vmware.com +spec: + group: ops.antrea.tanzu.vmware.com + names: + kind: Traceflow + plural: traceflows + shortNames: + - ltf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + namespace: + type: string + pod: + type: string + required: + - pod + - namespace + type: object + required: + - source + type: object + status: + properties: + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - networking.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.tanzu.vmware.com + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + verbs: + - get + - watch + - list +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - networking.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - ops.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-cluster-identity-reader +rules: +- apiGroups: + - "" + resourceNames: + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - nodes + - pods + - namespaces + - services + verbs: + - get + - watch + - list +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1beta1.networking.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - crdmutator.antrea.tanzu.vmware.com + - crdvalidator.antrea.tanzu.vmware.com + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the pods reachable externally through NodePort + # NodePortLocal: false + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + #ovsBridge: br-int + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + #hostGateway: antrea-gw0 + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + #trafficEncapMode: encap + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + #noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + #tunnelType: geneve + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + #defaultMTU: 0 + + # Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported + # for the GRE tunnel type. + #enableIPSecTunnel: false + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + #serviceCIDR: 10.96.0.0/12 + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + #serviceCIDRv6: + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + #apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #activeFlowExportTimeout: "30s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #idleFlowExportTimeout: "15s" + + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned + # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), + # and all Node traffic directed to that port will be forwarded to the Pod. + #nplPortRange: 40000-41000 + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + #kubeAPIServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + }, + { + "type": "portmap", + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + #apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the + # antrea-controller container. + #selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + + # If Antrea is upgraded from version <= v0.13 and legacy CRDs are used, this option should be + # enabled, otherwise the CRDs created with the legacy API groups will not take any effect and + # work as expected. When the mirroring is enabled, if a legacy CRD is created with legacy API + # groups, mirroring-controller will create a new CRD with the Spec and Labels from the legacy + # CRD. Afterwards, the modification of Spec and Label in legacy CRD will be synchronized to new + # CRD automatically. In addition, the modification of Status in new CRD will also be synchronized + # to legacy CRD automatically. If a legacy CRD is deleted, the corresponding new CRD will be deleted. + # Note that: to decouple a new CRD from the corresponding legacy CRD, the legacy CRD should be + # annotated with "crd.antrea.io/stop-mirror". Afterwards, updates to the legacy CRDs will no + # longer be reflected in the new CRD, and all CRUD operations should be done through the new + # API groups. After adding the annotation, legacy CRDs can be deleted safely without impacting + # new CRDs. + #legacyCRDMirroring: true +kind: ConfigMap +metadata: + annotations: {} + labels: + app: antrea + name: antrea-config-cbfh568k9m + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: antrea + name: antrea + namespace: kube-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: api + selector: + app: antrea + component: antrea-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: antrea + component: antrea-controller + name: antrea-controller + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: antrea + component: antrea-controller + strategy: + type: Recreate + template: + metadata: + labels: + app: antrea + component: antrea-controller + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-controller.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.1.0 + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-controller + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + volumeMounts: + - mountPath: /etc/antrea/antrea-controller.conf + name: antrea-config + readOnly: true + subPath: antrea-controller.conf + - mountPath: /var/run/antrea/antrea-controller-tls + name: antrea-controller-tls + - mountPath: /var/log/antrea + name: host-var-log-antrea + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: antrea-controller + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - configMap: + name: antrea-config-cbfh568k9m + name: antrea-config + - name: antrea-controller-tls + secret: + defaultMode: 256 + optional: true + secretName: antrea-controller-tls + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.io +spec: + group: stats.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.tanzu.vmware.com +spec: + group: stats.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.networking.antrea.tanzu.vmware.com +spec: + group: networking.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.io +spec: + group: system.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.tanzu.vmware.com +spec: + group: system.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.io +spec: + group: controlplane.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: antrea + component: antrea-agent + name: antrea-agent + namespace: kube-system +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: antrea-agent + labels: + app: antrea + component: antrea-agent + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-agent.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-agent + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.1.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-agent + ports: + - containerPort: 10350 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + securityContext: + privileged: true + volumeMounts: + - mountPath: /etc/antrea/antrea-agent.conf + name: antrea-config + readOnly: true + subPath: antrea-agent.conf + - mountPath: /var/run/antrea + name: host-var-run-antrea + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/lib/cni + name: host-var-run-antrea + subPath: cni + - mountPath: /var/log/antrea + name: host-var-log-antrea + - mountPath: /host/proc + name: host-proc + readOnly: true + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: host-var-run-netns + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - args: + - --log_file_max_size=100 + - --log_file_max_num=4 + command: + - start_ovs + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.1.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + name: antrea-ovs + resources: + requests: + cpu: 200m + securityContext: + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + initContainers: + - command: + - install_cni + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.1.0 + name: install-cni + resources: + requests: + cpu: 100m + securityContext: + capabilities: + add: + - SYS_MODULE + volumeMounts: + - mountPath: /etc/antrea/antrea-cni.conflist + name: antrea-config + readOnly: true + subPath: antrea-cni.conflist + - mountPath: /host/etc/cni/net.d + name: host-cni-conf + - mountPath: /host/opt/cni/bin + name: host-cni-bin + - mountPath: /lib/modules + name: host-lib-modules + readOnly: true + - mountPath: /var/run/antrea + name: host-var-run-antrea + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + serviceAccountName: antrea-agent + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - configMap: + name: antrea-config-cbfh568k9m + name: antrea-config + - hostPath: + path: /etc/cni/net.d + name: host-cni-conf + - hostPath: + path: /opt/cni/bin + name: host-cni-bin + - hostPath: + path: /proc + name: host-proc + - hostPath: + path: /var/run/netns + name: host-var-run-netns + - hostPath: + path: /var/run/antrea + type: DirectoryOrCreate + name: host-var-run-antrea + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea + - hostPath: + path: /lib/modules + name: host-lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + updateStrategy: + type: RollingUpdate +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha3 + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - core.antrea.tanzu.vmware.com + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 diff --git a/addons/antrea/1.2.0/Manifest b/addons/antrea/1.2.0/Manifest new file mode 100644 index 0000000000..cde926ed8f --- /dev/null +++ b/addons/antrea/1.2.0/Manifest @@ -0,0 +1,3 @@ +image antrea-ubuntu projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.0 + +asset antctl https://github.com/vmware-tanzu/antrea/releases/download/v1.2.0/antctl-Linux-x86_64 diff --git a/addons/antrea/1.2.0/install.sh b/addons/antrea/1.2.0/install.sh new file mode 100644 index 0000000000..d73c17fc61 --- /dev/null +++ b/addons/antrea/1.2.0/install.sh @@ -0,0 +1,80 @@ + +function antrea_pre_init() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + + POD_CIDR="$ANTREA_POD_CIDR" + POD_CIDR_RANGE="$ANTREA_POD_CIDR_RANGE" + + cp "$src/kubeadm.yaml" "$DIR/kustomize/kubeadm/init-patches/antrea.yaml" + + if commandExists kubectl; then + EXISTING_POD_CIDR=$(kubectl -n kube-system get cm kubeadm-config -oyaml 2>/dev/null | grep podSubnet | awk '{ print $NF }') + fi +} + +function antrea() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + local dst="$DIR/kustomize/antrea" + + if antrea_weave_conflict; then + printf "${YELLOW}Cannot migrate from weave to antrea${NC}\n" + return 0 + fi + + if ! lsmod | grep ip_tables; then + modprobe ip_tables + fi + + cp "$src/kustomization.yaml" "$dst/" + + if [ "$ANTREA_DISABLE_ENCRYPTION" = "1" ]; then + cp "$src/plaintext.yaml" "$dst/" + insert_resources "$dst/kustomization.yaml" plaintext.yaml + else + cp "$src/ipsec.yaml" "$dst/" + insert_resources "$dst/kustomization.yaml" ipsec.yaml + + ANTREA_IPSEC_PSK=$(kubernetes_secret_value kube-system antrea-ipsec psk) + if [ -z "$ANTREA_IPSEC_PSK" ]; then + ANTREA_IPSEC_PSK=$(< /dev/urandom tr -dc A-Za-z0-9 | head -c9) + fi + render_yaml_file "$src/ipsec-psk.yaml" > "$dst/ipsec-psk.yaml" + insert_patches_strategic_merge "$dst/kustomization.yaml" ipsec-psk.yaml + fi + + kubectl apply -k $dst + + antrea_cli + + check_network +} + +function antrea_join() { + if ! lsmod | grep ip_tables; then + modprobe ip_tables + fi + + if kubernetes_is_master; then + antrea_cli + fi +} + +function antrea_cli() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + + if [ ! -f "$src/assets/antctl" ] && [ "$AIRGAP" != "1" ]; then + mkdir -p "$src/assets" + curl -L --fail "https://github.com/vmware-tanzu/antrea/releases/download/v${ANTREA_VERSION}/antctl-Linux-x86_64" > "$src/assets/antctl" + fi + + chmod +x "$src/assets/antctl" + # put it in the same directory as kubectl since that's always on the path + cp "$src/assets/antctl" "$(dirname $(which kubectl))/" +} + +function antrea_weave_conflict() { + if [ -f /etc/cni/net.d/10-weave.conflist ]; then + return 0 + fi + return 1 +} diff --git a/addons/antrea/1.2.0/ipsec-psk.yaml b/addons/antrea/1.2.0/ipsec-psk.yaml new file mode 100644 index 0000000000..8f73207965 --- /dev/null +++ b/addons/antrea/1.2.0/ipsec-psk.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: antrea-ipsec + namespace: kube-system +stringData: + psk: $ANTREA_IPSEC_PSK diff --git a/addons/antrea/1.2.0/ipsec.yaml b/addons/antrea/1.2.0/ipsec.yaml new file mode 100644 index 0000000000..f5deca6706 --- /dev/null +++ b/addons/antrea/1.2.0/ipsec.yaml @@ -0,0 +1,4726 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - laai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - aai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - laci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - aci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - lcg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.crd.antrea.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/clustergroup + conversionReviewVersions: + - v1 + - v1beta1 + group: crd.antrea.io + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - cg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: false + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - acnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - lacnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + externalIPPool: + type: string + required: + - appliedTo + type: object + status: + properties: + egressNode: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - lee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalIPPool + plural: externalippools + shortNames: + - eip + singular: externalippool + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + type: object + type: array + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - ipRanges + - nodeSelector + type: object + required: + - spec + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - lanp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: Tier + plural: tiers + shortNames: + - ltr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - description: Trace live traffic. + jsonPath: .spec.liveTraffic + name: Live-Traffic + priority: 10 + type: boolean + - description: Capture only the dropped packet. + jsonPath: .spec.droppedOnly + name: Dropped-Only + priority: 10 + type: boolean + - description: Timeout in seconds. + jsonPath: .spec.timeout + name: Timeout + priority: 10 + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + droppedOnly: + type: boolean + liveTraffic: + type: boolean + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + type: object + timeout: + type: integer + type: object + status: + properties: + capturedPacket: + properties: + dstIP: + type: string + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + length: + type: integer + srcIP: + type: string + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.ops.antrea.tanzu.vmware.com +spec: + group: ops.antrea.tanzu.vmware.com + names: + kind: Traceflow + plural: traceflows + shortNames: + - ltf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + namespace: + type: string + pod: + type: string + required: + - pod + - namespace + type: object + required: + - source + type: object + status: + properties: + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.tanzu.vmware.com + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + - /featuregates + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + verbs: + - get + - watch + - list +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - ops.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - egresses/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - externalippools + verbs: + - get + - watch + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-cluster-identity-reader +rules: +- apiGroups: + - "" + resourceNames: + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - nodes + - pods + - namespaces + - services + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1beta1.networking.antrea.tanzu.vmware.com + resources: + - apiservices + verbs: + - delete +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - crdmutator.antrea.tanzu.vmware.com + - crdvalidator.antrea.tanzu.vmware.com + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - update + - patch +- apiGroups: + - crd.antrea.io + resources: + - externalippools + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the pods reachable externally through NodePort + # NodePortLocal: false + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + #ovsBridge: br-int + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + #hostGateway: antrea-gw0 + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + #trafficEncapMode: encap + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + #noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + tunnelType: gre + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + #defaultMTU: 0 + + # Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported + # for the GRE tunnel type. + enableIPSecTunnel: true + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + #serviceCIDR: 10.96.0.0/12 + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + #serviceCIDRv6: + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + #apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #activeFlowExportTimeout: "30s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #idleFlowExportTimeout: "15s" + + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned + # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), + # and all Node traffic directed to that port will be forwarded to the Pod. + #nplPortRange: 61000-62000 + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + #kubeAPIServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + }, + { + "type": "portmap", + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + #apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the + # antrea-controller container. + #selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + + # If Antrea is upgraded from version <= v0.13 and legacy CRDs are used, this option should be + # enabled, otherwise the CRDs created with the legacy API groups will not take any effect and + # work as expected. When the mirroring is enabled, if a legacy CRD is created with legacy API + # groups, mirroring-controller will create a new CRD with the Spec and Labels from the legacy + # CRD. Afterwards, the modification of Spec and Label in legacy CRD will be synchronized to new + # CRD automatically. In addition, the modification of Status in new CRD will also be synchronized + # to legacy CRD automatically. If a legacy CRD is deleted, the corresponding new CRD will be deleted. + # Note that: to decouple a new CRD from the corresponding legacy CRD, the legacy CRD should be + # annotated with "crd.antrea.io/stop-mirror". Afterwards, updates to the legacy CRDs will no + # longer be reflected in the new CRD, and all CRUD operations should be done through the new + # API groups. After adding the annotation, legacy CRDs can be deleted safely without impacting + # new CRDs. + #legacyCRDMirroring: true +kind: ConfigMap +metadata: + annotations: {} + labels: + app: antrea + name: antrea-config-5mt4h4g8tk + namespace: kube-system +--- +apiVersion: v1 +kind: Secret +metadata: + name: antrea-ipsec + namespace: kube-system +stringData: + psk: changeme +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: antrea + name: antrea + namespace: kube-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: api + selector: + app: antrea + component: antrea-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: antrea + component: antrea-controller + name: antrea-controller + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: antrea + component: antrea-controller + strategy: + type: Recreate + template: + metadata: + labels: + app: antrea + component: antrea-controller + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-controller.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ANTREA_CONFIG_MAP_NAME + value: antrea-config-5mt4h4g8tk + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.0 + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-controller + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + volumeMounts: + - mountPath: /etc/antrea/antrea-controller.conf + name: antrea-config + readOnly: true + subPath: antrea-controller.conf + - mountPath: /var/run/antrea/antrea-controller-tls + name: antrea-controller-tls + - mountPath: /var/log/antrea + name: host-var-log-antrea + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: antrea-controller + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - configMap: + name: antrea-config-5mt4h4g8tk + name: antrea-config + - name: antrea-controller-tls + secret: + defaultMode: 256 + optional: true + secretName: antrea-controller-tls + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.io +spec: + group: stats.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.tanzu.vmware.com +spec: + group: stats.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.io +spec: + group: system.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.tanzu.vmware.com +spec: + group: system.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.io +spec: + group: controlplane.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: antrea + component: antrea-agent + name: antrea-agent + namespace: kube-system +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: antrea-agent + labels: + app: antrea + component: antrea-agent + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-agent.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-agent + env: + - name: ANTREA_IPSEC_PSK + valueFrom: + secretKeyRef: + key: psk + name: antrea-ipsec + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-agent + ports: + - containerPort: 10350 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + securityContext: + privileged: true + volumeMounts: + - mountPath: /etc/antrea/antrea-agent.conf + name: antrea-config + readOnly: true + subPath: antrea-agent.conf + - mountPath: /var/run/antrea + name: host-var-run-antrea + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/lib/cni + name: host-var-run-antrea + subPath: cni + - mountPath: /var/log/antrea + name: host-var-log-antrea + - mountPath: /host/proc + name: host-proc + readOnly: true + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: host-var-run-netns + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - command: + - start_ovs_ipsec + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 5 container_liveness_probe ovs-ipsec + initialDelaySeconds: 5 + periodSeconds: 5 + name: antrea-ipsec + resources: + requests: + cpu: 50m + securityContext: + capabilities: + add: + - NET_ADMIN + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + - mountPath: /var/log/strongswan + name: host-var-log-antrea + subPath: strongswan + - args: + - --log_file_max_size=100 + - --log_file_max_num=4 + command: + - start_ovs + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + name: antrea-ovs + resources: + requests: + cpu: 200m + securityContext: + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + initContainers: + - command: + - install_cni + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.0 + name: install-cni + resources: + requests: + cpu: 100m + securityContext: + capabilities: + add: + - SYS_MODULE + volumeMounts: + - mountPath: /etc/antrea/antrea-cni.conflist + name: antrea-config + readOnly: true + subPath: antrea-cni.conflist + - mountPath: /host/etc/cni/net.d + name: host-cni-conf + - mountPath: /host/opt/cni/bin + name: host-cni-bin + - mountPath: /lib/modules + name: host-lib-modules + readOnly: true + - mountPath: /var/run/antrea + name: host-var-run-antrea + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + serviceAccountName: antrea-agent + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - configMap: + name: antrea-config-5mt4h4g8tk + name: antrea-config + - hostPath: + path: /etc/cni/net.d + name: host-cni-conf + - hostPath: + path: /opt/cni/bin + name: host-cni-bin + - hostPath: + path: /proc + name: host-proc + - hostPath: + path: /var/run/netns + name: host-var-run-netns + - hostPath: + path: /var/run/antrea + type: DirectoryOrCreate + name: host-var-run-antrea + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea + - hostPath: + path: /lib/modules + name: host-lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + updateStrategy: + type: RollingUpdate +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha3 + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/externalippool + name: externalippoolvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - UPDATE + resources: + - externalippools + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/egress + name: egressvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - egresses + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - core.antrea.tanzu.vmware.com + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 diff --git a/addons/antrea/1.2.0/kubeadm.yaml b/addons/antrea/1.2.0/kubeadm.yaml new file mode 100644 index 0000000000..5fa4ffb370 --- /dev/null +++ b/addons/antrea/1.2.0/kubeadm.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kubeadm.k8s.io/v1beta2 +kind: ClusterConfiguration +metadata: + name: kubeadm-cluster-configuration +networking: + podSubnet: $POD_CIDR diff --git a/addons/antrea/1.2.0/kustomization.yaml b/addons/antrea/1.2.0/kustomization.yaml new file mode 100644 index 0000000000..2949157786 --- /dev/null +++ b/addons/antrea/1.2.0/kustomization.yaml @@ -0,0 +1 @@ +resources: diff --git a/addons/antrea/1.2.0/plaintext.yaml b/addons/antrea/1.2.0/plaintext.yaml new file mode 100644 index 0000000000..fab07a6fbe --- /dev/null +++ b/addons/antrea/1.2.0/plaintext.yaml @@ -0,0 +1,4683 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - laai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - aai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - laci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - aci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - lcg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.crd.antrea.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/clustergroup + conversionReviewVersions: + - v1 + - v1beta1 + group: crd.antrea.io + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - cg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: false + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - acnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - lacnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + externalIPPool: + type: string + required: + - appliedTo + type: object + status: + properties: + egressNode: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - lee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalIPPool + plural: externalippools + shortNames: + - eip + singular: externalippool + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + type: object + type: array + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - ipRanges + - nodeSelector + type: object + required: + - spec + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - lanp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: Tier + plural: tiers + shortNames: + - ltr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - description: Trace live traffic. + jsonPath: .spec.liveTraffic + name: Live-Traffic + priority: 10 + type: boolean + - description: Capture only the dropped packet. + jsonPath: .spec.droppedOnly + name: Dropped-Only + priority: 10 + type: boolean + - description: Timeout in seconds. + jsonPath: .spec.timeout + name: Timeout + priority: 10 + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + droppedOnly: + type: boolean + liveTraffic: + type: boolean + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + type: object + timeout: + type: integer + type: object + status: + properties: + capturedPacket: + properties: + dstIP: + type: string + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + length: + type: integer + srcIP: + type: string + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.ops.antrea.tanzu.vmware.com +spec: + group: ops.antrea.tanzu.vmware.com + names: + kind: Traceflow + plural: traceflows + shortNames: + - ltf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + namespace: + type: string + pod: + type: string + required: + - pod + - namespace + type: object + required: + - source + type: object + status: + properties: + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.tanzu.vmware.com + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + - /featuregates + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + verbs: + - get + - watch + - list +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - ops.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - egresses/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - externalippools + verbs: + - get + - watch + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-cluster-identity-reader +rules: +- apiGroups: + - "" + resourceNames: + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - nodes + - pods + - namespaces + - services + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1beta1.networking.antrea.tanzu.vmware.com + resources: + - apiservices + verbs: + - delete +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - crdmutator.antrea.tanzu.vmware.com + - crdvalidator.antrea.tanzu.vmware.com + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - update + - patch +- apiGroups: + - crd.antrea.io + resources: + - externalippools + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the pods reachable externally through NodePort + # NodePortLocal: false + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + #ovsBridge: br-int + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + #hostGateway: antrea-gw0 + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + #trafficEncapMode: encap + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + #noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + #tunnelType: geneve + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + #defaultMTU: 0 + + # Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported + # for the GRE tunnel type. + #enableIPSecTunnel: false + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + #serviceCIDR: 10.96.0.0/12 + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + #serviceCIDRv6: + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + #apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #activeFlowExportTimeout: "30s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #idleFlowExportTimeout: "15s" + + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned + # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), + # and all Node traffic directed to that port will be forwarded to the Pod. + #nplPortRange: 61000-62000 + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + #kubeAPIServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + }, + { + "type": "portmap", + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + #apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the + # antrea-controller container. + #selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + + # If Antrea is upgraded from version <= v0.13 and legacy CRDs are used, this option should be + # enabled, otherwise the CRDs created with the legacy API groups will not take any effect and + # work as expected. When the mirroring is enabled, if a legacy CRD is created with legacy API + # groups, mirroring-controller will create a new CRD with the Spec and Labels from the legacy + # CRD. Afterwards, the modification of Spec and Label in legacy CRD will be synchronized to new + # CRD automatically. In addition, the modification of Status in new CRD will also be synchronized + # to legacy CRD automatically. If a legacy CRD is deleted, the corresponding new CRD will be deleted. + # Note that: to decouple a new CRD from the corresponding legacy CRD, the legacy CRD should be + # annotated with "crd.antrea.io/stop-mirror". Afterwards, updates to the legacy CRDs will no + # longer be reflected in the new CRD, and all CRUD operations should be done through the new + # API groups. After adding the annotation, legacy CRDs can be deleted safely without impacting + # new CRDs. + #legacyCRDMirroring: true +kind: ConfigMap +metadata: + annotations: {} + labels: + app: antrea + name: antrea-config-2567tcm8ck + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: antrea + name: antrea + namespace: kube-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: api + selector: + app: antrea + component: antrea-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: antrea + component: antrea-controller + name: antrea-controller + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: antrea + component: antrea-controller + strategy: + type: Recreate + template: + metadata: + labels: + app: antrea + component: antrea-controller + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-controller.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ANTREA_CONFIG_MAP_NAME + value: antrea-config-2567tcm8ck + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.0 + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-controller + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + volumeMounts: + - mountPath: /etc/antrea/antrea-controller.conf + name: antrea-config + readOnly: true + subPath: antrea-controller.conf + - mountPath: /var/run/antrea/antrea-controller-tls + name: antrea-controller-tls + - mountPath: /var/log/antrea + name: host-var-log-antrea + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: antrea-controller + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - configMap: + name: antrea-config-2567tcm8ck + name: antrea-config + - name: antrea-controller-tls + secret: + defaultMode: 256 + optional: true + secretName: antrea-controller-tls + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.io +spec: + group: stats.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.tanzu.vmware.com +spec: + group: stats.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.io +spec: + group: system.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.tanzu.vmware.com +spec: + group: system.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.io +spec: + group: controlplane.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: antrea + component: antrea-agent + name: antrea-agent + namespace: kube-system +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: antrea-agent + labels: + app: antrea + component: antrea-agent + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-agent.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-agent + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-agent + ports: + - containerPort: 10350 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + securityContext: + privileged: true + volumeMounts: + - mountPath: /etc/antrea/antrea-agent.conf + name: antrea-config + readOnly: true + subPath: antrea-agent.conf + - mountPath: /var/run/antrea + name: host-var-run-antrea + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/lib/cni + name: host-var-run-antrea + subPath: cni + - mountPath: /var/log/antrea + name: host-var-log-antrea + - mountPath: /host/proc + name: host-proc + readOnly: true + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: host-var-run-netns + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - args: + - --log_file_max_size=100 + - --log_file_max_num=4 + command: + - start_ovs + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + name: antrea-ovs + resources: + requests: + cpu: 200m + securityContext: + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + initContainers: + - command: + - install_cni + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.0 + name: install-cni + resources: + requests: + cpu: 100m + securityContext: + capabilities: + add: + - SYS_MODULE + volumeMounts: + - mountPath: /etc/antrea/antrea-cni.conflist + name: antrea-config + readOnly: true + subPath: antrea-cni.conflist + - mountPath: /host/etc/cni/net.d + name: host-cni-conf + - mountPath: /host/opt/cni/bin + name: host-cni-bin + - mountPath: /lib/modules + name: host-lib-modules + readOnly: true + - mountPath: /var/run/antrea + name: host-var-run-antrea + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + serviceAccountName: antrea-agent + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - configMap: + name: antrea-config-2567tcm8ck + name: antrea-config + - hostPath: + path: /etc/cni/net.d + name: host-cni-conf + - hostPath: + path: /opt/cni/bin + name: host-cni-bin + - hostPath: + path: /proc + name: host-proc + - hostPath: + path: /var/run/netns + name: host-var-run-netns + - hostPath: + path: /var/run/antrea + type: DirectoryOrCreate + name: host-var-run-antrea + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea + - hostPath: + path: /lib/modules + name: host-lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + updateStrategy: + type: RollingUpdate +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha3 + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/externalippool + name: externalippoolvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - UPDATE + resources: + - externalippools + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/egress + name: egressvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - egresses + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - core.antrea.tanzu.vmware.com + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 diff --git a/addons/antrea/1.2.1/Manifest b/addons/antrea/1.2.1/Manifest new file mode 100644 index 0000000000..2b5e5f721d --- /dev/null +++ b/addons/antrea/1.2.1/Manifest @@ -0,0 +1,3 @@ +image antrea-ubuntu projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.1 + +asset antctl https://github.com/vmware-tanzu/antrea/releases/download/v1.2.1/antctl-Linux-x86_64 diff --git a/addons/antrea/1.2.1/install.sh b/addons/antrea/1.2.1/install.sh new file mode 100644 index 0000000000..20771a3404 --- /dev/null +++ b/addons/antrea/1.2.1/install.sh @@ -0,0 +1,93 @@ + +function antrea_pre_init() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + + POD_CIDR="$ANTREA_POD_CIDR" + POD_CIDR_RANGE="$ANTREA_POD_CIDR_RANGE" + + cp "$src/kubeadm.yaml" "$DIR/kustomize/kubeadm/init-patches/antrea.yaml" + + if commandExists kubectl; then + EXISTING_POD_CIDR=$(kubectl -n kube-system get cm kubeadm-config -oyaml 2>/dev/null | grep podSubnet | awk '{ print $NF }') + fi +} + +function antrea() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + local dst="$DIR/kustomize/antrea" + + if antrea_weave_conflict; then + printf "${YELLOW}Cannot migrate from weave to antrea${NC}\n" + return 0 + fi + + if ! lsmod | grep ip_tables; then + modprobe ip_tables + fi + if [ "$IPV6_ONLY" = "1" ]; then + modprobe ip6_tables + fi + + cp "$src/kustomization.yaml" "$dst/" + + if [ "$ANTREA_DISABLE_ENCRYPTION" = "1" ]; then + cp "$src/plaintext.yaml" "$dst/" + insert_resources "$dst/kustomization.yaml" plaintext.yaml + if [ "$IPV6_ONLY" = "1" ]; then + sed -i "/serviceCIDRv6:.*/a\ serviceCIDRv6: $SERVICE_CIDR" "$dst/plaintext.yaml" + fi + else + cp "$src/ipsec.yaml" "$dst/" + insert_resources "$dst/kustomization.yaml" ipsec.yaml + if [ "$IPV6_ONLY" = "1" ]; then + sed -i "/serviceCIDRv6:.*/a\ serviceCIDRv6: $SERVICE_CIDR" "$dst/ipsec.yaml" + fi + + ANTREA_IPSEC_PSK=$(kubernetes_secret_value kube-system antrea-ipsec psk) + if [ -z "$ANTREA_IPSEC_PSK" ]; then + ANTREA_IPSEC_PSK=$(< /dev/urandom tr -dc A-Za-z0-9 | head -c9) + fi + render_yaml_file "$src/ipsec-psk.yaml" > "$dst/ipsec-psk.yaml" + insert_patches_strategic_merge "$dst/kustomization.yaml" ipsec-psk.yaml + fi + + kubectl apply -k $dst + + antrea_cli + + check_network +} + +function antrea_join() { + if ! lsmod | grep ip_tables; then + modprobe ip_tables + fi + + if kubernetes_is_master; then + antrea_cli + fi +} + +function antrea_cli() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + + # github.com has no AAAA records as of 12/6/21 + if [ ! -f "$src/assets/antctl" ] && [ "$AIRGAP" != "1" ]; then + if [ "$IPV6_ONLY" = "1" ]; then + return 0 + fi + mkdir -p "$src/assets" + curl -L --fail "https://github.com/vmware-tanzu/antrea/releases/download/v${ANTREA_VERSION}/antctl-Linux-x86_64" > "$src/assets/antctl" + fi + + chmod +x "$src/assets/antctl" + # put it in the same directory as kubectl since that's always on the path + cp "$src/assets/antctl" "$(dirname $(which kubectl))/" +} + +function antrea_weave_conflict() { + if [ -f /etc/cni/net.d/10-weave.conflist ]; then + return 0 + fi + return 1 +} diff --git a/addons/antrea/1.2.1/ipsec-psk.yaml b/addons/antrea/1.2.1/ipsec-psk.yaml new file mode 100644 index 0000000000..8f73207965 --- /dev/null +++ b/addons/antrea/1.2.1/ipsec-psk.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: antrea-ipsec + namespace: kube-system +stringData: + psk: $ANTREA_IPSEC_PSK diff --git a/addons/antrea/1.2.1/ipsec.yaml b/addons/antrea/1.2.1/ipsec.yaml new file mode 100644 index 0000000000..e97e541aec --- /dev/null +++ b/addons/antrea/1.2.1/ipsec.yaml @@ -0,0 +1,4726 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - laai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - aai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - laci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - aci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - lcg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.crd.antrea.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/clustergroup + conversionReviewVersions: + - v1 + - v1beta1 + group: crd.antrea.io + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - cg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: false + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - acnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - lacnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + externalIPPool: + type: string + required: + - appliedTo + type: object + status: + properties: + egressNode: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - lee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalIPPool + plural: externalippools + shortNames: + - eip + singular: externalippool + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + type: object + type: array + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - ipRanges + - nodeSelector + type: object + required: + - spec + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - lanp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: Tier + plural: tiers + shortNames: + - ltr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - description: Trace live traffic. + jsonPath: .spec.liveTraffic + name: Live-Traffic + priority: 10 + type: boolean + - description: Capture only the dropped packet. + jsonPath: .spec.droppedOnly + name: Dropped-Only + priority: 10 + type: boolean + - description: Timeout in seconds. + jsonPath: .spec.timeout + name: Timeout + priority: 10 + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + droppedOnly: + type: boolean + liveTraffic: + type: boolean + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + type: object + timeout: + type: integer + type: object + status: + properties: + capturedPacket: + properties: + dstIP: + type: string + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + length: + type: integer + srcIP: + type: string + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.ops.antrea.tanzu.vmware.com +spec: + group: ops.antrea.tanzu.vmware.com + names: + kind: Traceflow + plural: traceflows + shortNames: + - ltf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + namespace: + type: string + pod: + type: string + required: + - pod + - namespace + type: object + required: + - source + type: object + status: + properties: + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.tanzu.vmware.com + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + - /featuregates + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + verbs: + - get + - watch + - list +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - ops.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - egresses/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - externalippools + verbs: + - get + - watch + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-cluster-identity-reader +rules: +- apiGroups: + - "" + resourceNames: + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - nodes + - pods + - namespaces + - services + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1beta1.networking.antrea.tanzu.vmware.com + resources: + - apiservices + verbs: + - delete +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - crdmutator.antrea.tanzu.vmware.com + - crdvalidator.antrea.tanzu.vmware.com + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - update + - patch +- apiGroups: + - crd.antrea.io + resources: + - externalippools + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the pods reachable externally through NodePort + # NodePortLocal: false + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + #ovsBridge: br-int + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + #hostGateway: antrea-gw0 + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + #trafficEncapMode: encap + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + #noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + tunnelType: gre + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + #defaultMTU: 0 + + # Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported + # for the GRE tunnel type. + enableIPSecTunnel: true + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + #serviceCIDR: 10.96.0.0/12 + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + #serviceCIDRv6: + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + #apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #activeFlowExportTimeout: "30s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #idleFlowExportTimeout: "15s" + + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned + # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), + # and all Node traffic directed to that port will be forwarded to the Pod. + #nplPortRange: 61000-62000 + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + #kubeAPIServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + }, + { + "type": "portmap", + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + #apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the + # antrea-controller container. + #selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + + # If Antrea is upgraded from version <= v0.13 and legacy CRDs are used, this option should be + # enabled, otherwise the CRDs created with the legacy API groups will not take any effect and + # work as expected. When the mirroring is enabled, if a legacy CRD is created with legacy API + # groups, mirroring-controller will create a new CRD with the Spec and Labels from the legacy + # CRD. Afterwards, the modification of Spec and Label in legacy CRD will be synchronized to new + # CRD automatically. In addition, the modification of Status in new CRD will also be synchronized + # to legacy CRD automatically. If a legacy CRD is deleted, the corresponding new CRD will be deleted. + # Note that: to decouple a new CRD from the corresponding legacy CRD, the legacy CRD should be + # annotated with "crd.antrea.io/stop-mirror". Afterwards, updates to the legacy CRDs will no + # longer be reflected in the new CRD, and all CRUD operations should be done through the new + # API groups. After adding the annotation, legacy CRDs can be deleted safely without impacting + # new CRDs. + #legacyCRDMirroring: true +kind: ConfigMap +metadata: + annotations: {} + labels: + app: antrea + name: antrea-config-5mt4h4g8tk + namespace: kube-system +--- +apiVersion: v1 +kind: Secret +metadata: + name: antrea-ipsec + namespace: kube-system +stringData: + psk: changeme +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: antrea + name: antrea + namespace: kube-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: api + selector: + app: antrea + component: antrea-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: antrea + component: antrea-controller + name: antrea-controller + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: antrea + component: antrea-controller + strategy: + type: Recreate + template: + metadata: + labels: + app: antrea + component: antrea-controller + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-controller.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ANTREA_CONFIG_MAP_NAME + value: antrea-config-5mt4h4g8tk + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.1 + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-controller + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + volumeMounts: + - mountPath: /etc/antrea/antrea-controller.conf + name: antrea-config + readOnly: true + subPath: antrea-controller.conf + - mountPath: /var/run/antrea/antrea-controller-tls + name: antrea-controller-tls + - mountPath: /var/log/antrea + name: host-var-log-antrea + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: antrea-controller + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - configMap: + name: antrea-config-5mt4h4g8tk + name: antrea-config + - name: antrea-controller-tls + secret: + defaultMode: 256 + optional: true + secretName: antrea-controller-tls + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.io +spec: + group: stats.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.tanzu.vmware.com +spec: + group: stats.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.io +spec: + group: system.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.tanzu.vmware.com +spec: + group: system.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.io +spec: + group: controlplane.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: antrea + component: antrea-agent + name: antrea-agent + namespace: kube-system +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: antrea-agent + labels: + app: antrea + component: antrea-agent + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-agent.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-agent + env: + - name: ANTREA_IPSEC_PSK + valueFrom: + secretKeyRef: + key: psk + name: antrea-ipsec + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.1 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-agent + ports: + - containerPort: 10350 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 8 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + securityContext: + privileged: true + volumeMounts: + - mountPath: /etc/antrea/antrea-agent.conf + name: antrea-config + readOnly: true + subPath: antrea-agent.conf + - mountPath: /var/run/antrea + name: host-var-run-antrea + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/lib/cni + name: host-var-run-antrea + subPath: cni + - mountPath: /var/log/antrea + name: host-var-log-antrea + - mountPath: /host/proc + name: host-proc + readOnly: true + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: host-var-run-netns + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - command: + - start_ovs_ipsec + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.1 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 5 container_liveness_probe ovs-ipsec + initialDelaySeconds: 5 + periodSeconds: 5 + name: antrea-ipsec + resources: + requests: + cpu: 50m + securityContext: + capabilities: + add: + - NET_ADMIN + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + - mountPath: /var/log/strongswan + name: host-var-log-antrea + subPath: strongswan + - args: + - --log_file_max_size=100 + - --log_file_max_num=4 + command: + - start_ovs + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.1 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + name: antrea-ovs + resources: + requests: + cpu: 200m + securityContext: + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + initContainers: + - command: + - install_cni + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.1 + name: install-cni + resources: + requests: + cpu: 100m + securityContext: + capabilities: + add: + - SYS_MODULE + volumeMounts: + - mountPath: /etc/antrea/antrea-cni.conflist + name: antrea-config + readOnly: true + subPath: antrea-cni.conflist + - mountPath: /host/etc/cni/net.d + name: host-cni-conf + - mountPath: /host/opt/cni/bin + name: host-cni-bin + - mountPath: /lib/modules + name: host-lib-modules + readOnly: true + - mountPath: /var/run/antrea + name: host-var-run-antrea + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + serviceAccountName: antrea-agent + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - configMap: + name: antrea-config-5mt4h4g8tk + name: antrea-config + - hostPath: + path: /etc/cni/net.d + name: host-cni-conf + - hostPath: + path: /opt/cni/bin + name: host-cni-bin + - hostPath: + path: /proc + name: host-proc + - hostPath: + path: /var/run/netns + name: host-var-run-netns + - hostPath: + path: /var/run/antrea + type: DirectoryOrCreate + name: host-var-run-antrea + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea + - hostPath: + path: /lib/modules + name: host-lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + updateStrategy: + type: RollingUpdate +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha3 + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/externalippool + name: externalippoolvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - UPDATE + resources: + - externalippools + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/egress + name: egressvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - egresses + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - core.antrea.tanzu.vmware.com + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 diff --git a/addons/antrea/1.2.1/kubeadm.yaml b/addons/antrea/1.2.1/kubeadm.yaml new file mode 100644 index 0000000000..5fa4ffb370 --- /dev/null +++ b/addons/antrea/1.2.1/kubeadm.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kubeadm.k8s.io/v1beta2 +kind: ClusterConfiguration +metadata: + name: kubeadm-cluster-configuration +networking: + podSubnet: $POD_CIDR diff --git a/addons/antrea/1.2.1/kustomization.yaml b/addons/antrea/1.2.1/kustomization.yaml new file mode 100644 index 0000000000..2949157786 --- /dev/null +++ b/addons/antrea/1.2.1/kustomization.yaml @@ -0,0 +1 @@ +resources: diff --git a/addons/antrea/1.2.1/plaintext.yaml b/addons/antrea/1.2.1/plaintext.yaml new file mode 100644 index 0000000000..b062938a17 --- /dev/null +++ b/addons/antrea/1.2.1/plaintext.yaml @@ -0,0 +1,4683 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - laai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - aai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - laci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - aci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - lcg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.crd.antrea.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/clustergroup + conversionReviewVersions: + - v1 + - v1beta1 + group: crd.antrea.io + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - cg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: false + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - acnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - lacnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + externalIPPool: + type: string + required: + - appliedTo + type: object + status: + properties: + egressNode: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - lee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalIPPool + plural: externalippools + shortNames: + - eip + singular: externalippool + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + type: object + type: array + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - ipRanges + - nodeSelector + type: object + required: + - spec + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - lanp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: Tier + plural: tiers + shortNames: + - ltr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - description: Trace live traffic. + jsonPath: .spec.liveTraffic + name: Live-Traffic + priority: 10 + type: boolean + - description: Capture only the dropped packet. + jsonPath: .spec.droppedOnly + name: Dropped-Only + priority: 10 + type: boolean + - description: Timeout in seconds. + jsonPath: .spec.timeout + name: Timeout + priority: 10 + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + droppedOnly: + type: boolean + liveTraffic: + type: boolean + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + type: object + timeout: + type: integer + type: object + status: + properties: + capturedPacket: + properties: + dstIP: + type: string + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + length: + type: integer + srcIP: + type: string + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.ops.antrea.tanzu.vmware.com +spec: + group: ops.antrea.tanzu.vmware.com + names: + kind: Traceflow + plural: traceflows + shortNames: + - ltf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + namespace: + type: string + pod: + type: string + required: + - pod + - namespace + type: object + required: + - source + type: object + status: + properties: + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.tanzu.vmware.com + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + - /featuregates + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + verbs: + - get + - watch + - list +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - ops.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - egresses/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - externalippools + verbs: + - get + - watch + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-cluster-identity-reader +rules: +- apiGroups: + - "" + resourceNames: + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - nodes + - pods + - namespaces + - services + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1beta1.networking.antrea.tanzu.vmware.com + resources: + - apiservices + verbs: + - delete +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - crdmutator.antrea.tanzu.vmware.com + - crdvalidator.antrea.tanzu.vmware.com + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - update + - patch +- apiGroups: + - crd.antrea.io + resources: + - externalippools + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the pods reachable externally through NodePort + # NodePortLocal: false + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + #ovsBridge: br-int + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + #hostGateway: antrea-gw0 + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + #trafficEncapMode: encap + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + #noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + #tunnelType: geneve + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + #defaultMTU: 0 + + # Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported + # for the GRE tunnel type. + #enableIPSecTunnel: false + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + #serviceCIDR: 10.96.0.0/12 + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + #serviceCIDRv6: + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + #apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #activeFlowExportTimeout: "30s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #idleFlowExportTimeout: "15s" + + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned + # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), + # and all Node traffic directed to that port will be forwarded to the Pod. + #nplPortRange: 61000-62000 + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + #kubeAPIServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + }, + { + "type": "portmap", + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + #apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the + # antrea-controller container. + #selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + + # If Antrea is upgraded from version <= v0.13 and legacy CRDs are used, this option should be + # enabled, otherwise the CRDs created with the legacy API groups will not take any effect and + # work as expected. When the mirroring is enabled, if a legacy CRD is created with legacy API + # groups, mirroring-controller will create a new CRD with the Spec and Labels from the legacy + # CRD. Afterwards, the modification of Spec and Label in legacy CRD will be synchronized to new + # CRD automatically. In addition, the modification of Status in new CRD will also be synchronized + # to legacy CRD automatically. If a legacy CRD is deleted, the corresponding new CRD will be deleted. + # Note that: to decouple a new CRD from the corresponding legacy CRD, the legacy CRD should be + # annotated with "crd.antrea.io/stop-mirror". Afterwards, updates to the legacy CRDs will no + # longer be reflected in the new CRD, and all CRUD operations should be done through the new + # API groups. After adding the annotation, legacy CRDs can be deleted safely without impacting + # new CRDs. + #legacyCRDMirroring: true +kind: ConfigMap +metadata: + annotations: {} + labels: + app: antrea + name: antrea-config-2567tcm8ck + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: antrea + name: antrea + namespace: kube-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: api + selector: + app: antrea + component: antrea-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: antrea + component: antrea-controller + name: antrea-controller + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: antrea + component: antrea-controller + strategy: + type: Recreate + template: + metadata: + labels: + app: antrea + component: antrea-controller + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-controller.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ANTREA_CONFIG_MAP_NAME + value: antrea-config-2567tcm8ck + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.1 + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-controller + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + volumeMounts: + - mountPath: /etc/antrea/antrea-controller.conf + name: antrea-config + readOnly: true + subPath: antrea-controller.conf + - mountPath: /var/run/antrea/antrea-controller-tls + name: antrea-controller-tls + - mountPath: /var/log/antrea + name: host-var-log-antrea + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: antrea-controller + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - configMap: + name: antrea-config-2567tcm8ck + name: antrea-config + - name: antrea-controller-tls + secret: + defaultMode: 256 + optional: true + secretName: antrea-controller-tls + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.io +spec: + group: stats.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.tanzu.vmware.com +spec: + group: stats.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.io +spec: + group: system.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.tanzu.vmware.com +spec: + group: system.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.io +spec: + group: controlplane.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: antrea + component: antrea-agent + name: antrea-agent + namespace: kube-system +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: antrea-agent + labels: + app: antrea + component: antrea-agent + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-agent.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-agent + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.1 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-agent + ports: + - containerPort: 10350 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 8 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + securityContext: + privileged: true + volumeMounts: + - mountPath: /etc/antrea/antrea-agent.conf + name: antrea-config + readOnly: true + subPath: antrea-agent.conf + - mountPath: /var/run/antrea + name: host-var-run-antrea + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/lib/cni + name: host-var-run-antrea + subPath: cni + - mountPath: /var/log/antrea + name: host-var-log-antrea + - mountPath: /host/proc + name: host-proc + readOnly: true + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: host-var-run-netns + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - args: + - --log_file_max_size=100 + - --log_file_max_num=4 + command: + - start_ovs + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.1 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + name: antrea-ovs + resources: + requests: + cpu: 200m + securityContext: + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + initContainers: + - command: + - install_cni + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.2.1 + name: install-cni + resources: + requests: + cpu: 100m + securityContext: + capabilities: + add: + - SYS_MODULE + volumeMounts: + - mountPath: /etc/antrea/antrea-cni.conflist + name: antrea-config + readOnly: true + subPath: antrea-cni.conflist + - mountPath: /host/etc/cni/net.d + name: host-cni-conf + - mountPath: /host/opt/cni/bin + name: host-cni-bin + - mountPath: /lib/modules + name: host-lib-modules + readOnly: true + - mountPath: /var/run/antrea + name: host-var-run-antrea + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + serviceAccountName: antrea-agent + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - configMap: + name: antrea-config-2567tcm8ck + name: antrea-config + - hostPath: + path: /etc/cni/net.d + name: host-cni-conf + - hostPath: + path: /opt/cni/bin + name: host-cni-bin + - hostPath: + path: /proc + name: host-proc + - hostPath: + path: /var/run/netns + name: host-var-run-netns + - hostPath: + path: /var/run/antrea + type: DirectoryOrCreate + name: host-var-run-antrea + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea + - hostPath: + path: /lib/modules + name: host-lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + updateStrategy: + type: RollingUpdate +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha3 + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/externalippool + name: externalippoolvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - UPDATE + resources: + - externalippools + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/egress + name: egressvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - egresses + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - core.antrea.tanzu.vmware.com + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 diff --git a/addons/antrea/1.4.0/Manifest b/addons/antrea/1.4.0/Manifest new file mode 100644 index 0000000000..16a88614dd --- /dev/null +++ b/addons/antrea/1.4.0/Manifest @@ -0,0 +1,3 @@ +image antrea-ubuntu projects.registry.vmware.com/antrea/antrea-ubuntu:v1.4.0 + +asset antctl https://github.com/vmware-tanzu/antrea/releases/download/v1.4.0/antctl-Linux-x86_64 diff --git a/addons/antrea/1.4.0/install.sh b/addons/antrea/1.4.0/install.sh new file mode 100644 index 0000000000..7da776d314 --- /dev/null +++ b/addons/antrea/1.4.0/install.sh @@ -0,0 +1,119 @@ +# shellcheck disable=SC2148 + +function antrea_pre_init() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + + POD_CIDR="$ANTREA_POD_CIDR" + POD_CIDR_RANGE="$ANTREA_POD_CIDR_RANGE" + + cp "$src/kubeadm.yaml" "$DIR/kustomize/kubeadm/init-patches/antrea.yaml" + + if commandExists kubectl; then + EXISTING_POD_CIDR=$(kubectl -n kube-system get cm kubeadm-config -oyaml 2>/dev/null | grep podSubnet | awk '{ print $NF }') + fi + + # Encryption uses wireGuard, which does not require the 3rd + # ipsec container in the antrea-agent daemonset. + if [ ! "$ANTREA_DISABLE_ENCRYPTION" = "1" ] && ! modprobe wireguard; then + bail "Antrea with inter-node encryption enabled requires the wireguard kernel module be available. https://www.wireguard.com/install/" + fi +} + +function antrea() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + local dst="$DIR/kustomize/antrea" + + if antrea_weave_conflict; then + printf "${YELLOW}Cannot migrate from weave to antrea${NC}\n" + return 0 + fi + + if ! lsmod | grep ip_tables; then + modprobe ip_tables + echo 'ip_tables' > /etc/modules-load.d/kurl-antrea.conf + fi + if [ "$IPV6_ONLY" = "1" ]; then + modprobe ip6_tables + echo 'ip6_tables' > /etc/modules-load.d/kurl-antrea.conf + fi + + + cp "$src/kustomization.yaml" "$dst/" + + if [ "$ANTREA_DISABLE_ENCRYPTION" = "1" ]; then + cp "$src/plaintext.yaml" "$dst/" + insert_resources "$dst/kustomization.yaml" plaintext.yaml + if [ "$IPV6_ONLY" = "1" ]; then + sed -i "/#serviceCIDRv6:.*/a\ serviceCIDRv6: $SERVICE_CIDR" "$dst/plaintext.yaml" + fi + else + + if [ "$IPV6_ONLY" = "1" ]; then + cp "$src/plaintext.yaml" "$dst/" + insert_resources "$dst/kustomization.yaml" plaintext.yaml + sed -i "/#serviceCIDRv6:.*/a\ serviceCIDRv6: $SERVICE_CIDR" "$dst/plaintext.yaml" + sed -i "/#trafficEncryptionMode:.*/a\ trafficEncryptionMode: wireGuard" "$dst/plaintext.yaml" + else + cp "$src/ipsec.yaml" "$dst/" + insert_resources "$dst/kustomization.yaml" ipsec.yaml + + ANTREA_IPSEC_PSK=$(kubernetes_secret_value kube-system antrea-ipsec psk) + if [ -z "$ANTREA_IPSEC_PSK" ]; then + ANTREA_IPSEC_PSK=$(< /dev/urandom tr -dc A-Za-z0-9 | head -c9) + fi + render_yaml_file "$src/ipsec-psk.yaml" > "$dst/ipsec-psk.yaml" + insert_patches_strategic_merge "$dst/kustomization.yaml" ipsec-psk.yaml + fi + fi + + kubectl apply -k $dst + + antrea_cli + + check_network +} + +function antrea_join() { + if ! lsmod | grep ip_tables; then + modprobe ip_tables + echo 'ip_tables' > /etc/modules-load.d/kurl-antrea.conf + fi + if [ "$IPV6_ONLY" = "1" ]; then + modprobe ip6_tables + echo 'ip6_tables' > /etc/modules-load.d/kurl-antrea.conf + + if [ "$ANTREA_DISABLE_ENCRYPTION" != "1" ]; then + if ! modprobe wireguard; then + bail "Antrea with inter-node encryption enabled requires the wireguard kernel module be available. https://www.wireguard.com/install/" + fi + fi + fi + + if kubernetes_is_master; then + antrea_cli + fi +} + +function antrea_cli() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + + # github.com has no AAAA records as of 12/6/21 + if [ ! -f "$src/assets/antctl" ] && [ "$AIRGAP" != "1" ]; then + if [ "$IPV6_ONLY" = "1" ]; then + return 0 + fi + mkdir -p "$src/assets" + curl -L --fail "https://github.com/vmware-tanzu/antrea/releases/download/v${ANTREA_VERSION}/antctl-Linux-x86_64" > "$src/assets/antctl" + fi + + chmod +x "$src/assets/antctl" + # put it in the same directory as kubectl since that's always on the path + cp "$src/assets/antctl" "$(dirname $(which kubectl))/" +} + +function antrea_weave_conflict() { + if [ -f /etc/cni/net.d/10-weave.conflist ]; then + return 0 + fi + return 1 +} diff --git a/addons/antrea/1.4.0/ipsec-psk.yaml b/addons/antrea/1.4.0/ipsec-psk.yaml new file mode 100644 index 0000000000..8f73207965 --- /dev/null +++ b/addons/antrea/1.4.0/ipsec-psk.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: antrea-ipsec + namespace: kube-system +stringData: + psk: $ANTREA_IPSEC_PSK diff --git a/addons/antrea/1.4.0/ipsec.yaml b/addons/antrea/1.4.0/ipsec.yaml new file mode 100644 index 0000000000..32a1ade1b7 --- /dev/null +++ b/addons/antrea/1.4.0/ipsec.yaml @@ -0,0 +1,5101 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - laai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - aai + singular: antreaagentinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: .agentConditions[?(@.type=='AgentHealthy')].status + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: .agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: .version + name: Version + priority: 1 + type: string + - description: Node on which this Agent is running + jsonPath: .nodeRef.name + name: Node + priority: 1 + type: string + - description: Number of local Pods managed by this Agent + jsonPath: .localPodNum + name: Num Pods + priority: 2 + type: integer + - description: Subnets used by this Agent for Pod IPAM + jsonPath: .nodeSubnets + name: Subnets + priority: 2 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - laci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - aci + singular: antreacontrollerinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].status + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: .version + name: Version + priority: 1 + type: string + - description: Number of Agents connected to the Controller + jsonPath: .connectedAgentNum + name: Connected Agents + priority: 1 + type: integer + - description: Node on which the Controller is running + jsonPath: .nodeRef.name + name: Node + priority: 1 + type: string + - description: Number of Network Policies computed by Controller + jsonPath: .networkPolicyControllerInfo.networkPolicyNum + name: Num Network Policies + priority: 2 + type: integer + name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - lcg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.crd.antrea.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/clustergroup + conversionReviewVersions: + - v1 + - v1beta1 + group: crd.antrea.io + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - cg + singular: clustergroup + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: false + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - acnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + fqdn: + type: string + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - lacnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + externalIPPool: + type: string + required: + - appliedTo + type: object + status: + properties: + egressNode: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - lee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalIPPool + plural: externalippools + shortNames: + - eip + singular: externalippool + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + type: object + type: array + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - ipRanges + - nodeSelector + type: object + status: + properties: + usage: + properties: + total: + type: integer + used: + type: integer + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: ippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: IPPool + plural: ippools + shortNames: + - ipp + singular: ippool + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + vlan: + type: string + type: object + type: array + ipVersion: + type: integer + required: + - ipVersion + - ipRanges + type: object + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + containerID: + type: string + name: + type: string + namespace: + type: string + type: object + type: object + phase: + type: string + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + fqdn: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - lanp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: Tier + plural: tiers + shortNames: + - ltr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - description: Trace live traffic. + jsonPath: .spec.liveTraffic + name: Live-Traffic + priority: 10 + type: boolean + - description: Capture only the dropped packet. + jsonPath: .spec.droppedOnly + name: Dropped-Only + priority: 10 + type: boolean + - description: Timeout in seconds. + jsonPath: .spec.timeout + name: Timeout + priority: 10 + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + droppedOnly: + type: boolean + liveTraffic: + type: boolean + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + type: object + timeout: + type: integer + type: object + status: + properties: + capturedPacket: + properties: + dstIP: + type: string + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + length: + type: integer + srcIP: + type: string + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.ops.antrea.tanzu.vmware.com +spec: + group: ops.antrea.tanzu.vmware.com + names: + kind: Traceflow + plural: traceflows + shortNames: + - ltf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + namespace: + type: string + pod: + type: string + required: + - pod + - namespace + type: object + required: + - source + type: object + status: + properties: + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.tanzu.vmware.com + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + - /featuregates + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + - namespaces + verbs: + - get + - watch + - list +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - ops.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - egresses/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - ippools/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-cluster-identity-reader +rules: +- apiGroups: + - "" + resourceNames: + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - pods + - namespaces + - services + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1beta1.networking.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + resources: + - apiservices + verbs: + - delete +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - crdmutator.antrea.tanzu.vmware.com + - crdvalidator.antrea.tanzu.vmware.com + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - update + - patch +- apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - externalippools/status + verbs: + - update +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # Enable flexible IPAM mode for Antrea. This mode allows to assign IP Ranges to Namespaces, + # Deployments and StatefulSets via IP Pool annotation. + # AntreaIPAM: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + #ovsBridge: br-int + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + #hostGateway: antrea-gw0 + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + #trafficEncapMode: encap + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + #noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, + # this option will not take effect. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + tunnelType: geneve + + # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. + # It has the following options: + # - none (default): Inter-node Pod traffic will not be encrypted. + # - ipsec: Enable IPSec (ESP) encryption for Pod traffic across Nodes. Antrea uses + # Preshared Key (PSK) for IKE authentication. When IPSec tunnel is enabled, + # the PSK value must be passed to Antrea Agent through an environment + # variable: ANTREA_IPSEC_PSK. + # - wireGuard: Enable WireGuard for tunnel traffic encryption. + trafficEncryptionMode: wireguard + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + #defaultMTU: 0 + + # wireGuard specifies WireGuard related configurations. + wireGuard: + # The port for WireGuard to receive traffic. + # port: 51820 + + egress: + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + # exceptCIDRs: [] + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + #serviceCIDR: 10.96.0.0/12 + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + #serviceCIDRv6: + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + #apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #activeFlowExportTimeout: "30s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #idleFlowExportTimeout: "15s" + + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + # enable: false + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + # portRange: 61000-62000 + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + #kubeAPIServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + + # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. + # If there are multiple IP addresses configured on the interface, the first one is used. The IP + # address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + #transportInterface: + + # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across + # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The + # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + #transportInterfaceCIDRs: [,] + + # Option antreaProxy contains AntreaProxy related configuration options. + antreaProxy: + # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, + # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy + # feature to be enabled. + # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access + # apiserver directly. + #proxyAll: false + # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. + # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. + # Note that the option is only valid when proxyAll is true. + #nodePortAddresses: [] + # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these + # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name + # with Namespace (e.g. kube-system/kube-dns) + #skipServices: [] + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + }, + { + "type": "portmap", + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # Run Kubernetes NodeIPAMController with Antrea. + # NodeIPAM: false + + # Enable flexible IPAM mode for Antrea. This mode allows to assign IP Ranges to Namespaces, + # Deployments and StatefulSets via IP Pool annotation. + # AntreaIPAM: false + # + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + #apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the + # antrea-controller container. + #selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + + # If Antrea is upgraded from version <= v0.13 and legacy CRDs are used, this option should be + # enabled, otherwise the CRDs created with the legacy API groups will not take any effect and + # work as expected. When the mirroring is enabled, if a legacy CRD is created with legacy API + # groups, mirroring-controller will create a new CRD with the Spec and Labels from the legacy + # CRD. Afterwards, the modification of Spec and Label in legacy CRD will be synchronized to new + # CRD automatically. In addition, the modification of Status in new CRD will also be synchronized + # to legacy CRD automatically. If a legacy CRD is deleted, the corresponding new CRD will be deleted. + # Note that: to decouple a new CRD from the corresponding legacy CRD, the legacy CRD should be + # annotated with "crd.antrea.io/stop-mirror". Afterwards, updates to the legacy CRDs will no + # longer be reflected in the new CRD, and all CRUD operations should be done through the new + # API groups. After adding the annotation, legacy CRDs can be deleted safely without impacting + # new CRDs. + #legacyCRDMirroring: true + + nodeIPAM: + # Enable the integrated Node IPAM controller within the Antrea controller. + # enableNodeIPAM: false + + # CIDR Ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. Value ignored when enableNodeIPAM is false. + # clusterCIDRs: [] + + # CIDR Ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + # serviceCIDR: + # serviceCIDRv6: + + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + # nodeCIDRMaskSizeIPv4: 24 + + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + # nodeCIDRMaskSizeIPv6: 64 +kind: ConfigMap +metadata: + annotations: {} + labels: + app: antrea + name: antrea-config-2k4k228tc7 + namespace: kube-system +--- +apiVersion: v1 +kind: Secret +metadata: + name: antrea-ipsec + namespace: kube-system +stringData: + psk: changeme +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: antrea + name: antrea + namespace: kube-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: api + selector: + app: antrea + component: antrea-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: antrea + component: antrea-controller + name: antrea-controller + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: antrea + component: antrea-controller + strategy: + type: Recreate + template: + metadata: + labels: + app: antrea + component: antrea-controller + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-controller.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ANTREA_CONFIG_MAP_NAME + value: antrea-config-2k4k228tc7 + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.4.0 + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-controller + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + volumeMounts: + - mountPath: /etc/antrea/antrea-controller.conf + name: antrea-config + readOnly: true + subPath: antrea-controller.conf + - mountPath: /var/run/antrea/antrea-controller-tls + name: antrea-controller-tls + - mountPath: /var/log/antrea + name: host-var-log-antrea + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: antrea-controller + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - configMap: + name: antrea-config-2k4k228tc7 + name: antrea-config + - name: antrea-controller-tls + secret: + defaultMode: 256 + optional: true + secretName: antrea-controller-tls + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.io +spec: + group: stats.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.tanzu.vmware.com +spec: + group: stats.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.io +spec: + group: system.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.tanzu.vmware.com +spec: + group: system.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.io +spec: + group: controlplane.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: antrea + component: antrea-agent + name: antrea-agent + namespace: kube-system +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: antrea-agent + labels: + app: antrea + component: antrea-agent + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-agent.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-agent + env: + - name: ANTREA_IPSEC_PSK + valueFrom: + secretKeyRef: + key: psk + name: antrea-ipsec + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.4.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-agent + ports: + - containerPort: 10350 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 8 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + securityContext: + privileged: true + volumeMounts: + - mountPath: /etc/antrea/antrea-agent.conf + name: antrea-config + readOnly: true + subPath: antrea-agent.conf + - mountPath: /var/run/antrea + name: host-var-run-antrea + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/lib/cni + name: host-var-run-antrea + subPath: cni + - mountPath: /var/log/antrea + name: host-var-log-antrea + - mountPath: /host/proc + name: host-proc + readOnly: true + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: host-var-run-netns + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - command: + - start_ovs_ipsec + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.4.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 5 container_liveness_probe ovs-ipsec + initialDelaySeconds: 5 + periodSeconds: 5 + name: antrea-ipsec + resources: + requests: + cpu: 50m + securityContext: + capabilities: + add: + - NET_ADMIN + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + - mountPath: /var/log/strongswan + name: host-var-log-antrea + subPath: strongswan + - args: + - --log_file_max_size=100 + - --log_file_max_num=4 + command: + - start_ovs + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.4.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + name: antrea-ovs + resources: + requests: + cpu: 200m + securityContext: + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + initContainers: + - command: + - install_cni + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.4.0 + name: install-cni + resources: + requests: + cpu: 100m + securityContext: + capabilities: + add: + - SYS_MODULE + volumeMounts: + - mountPath: /etc/antrea/antrea-cni.conflist + name: antrea-config + readOnly: true + subPath: antrea-cni.conflist + - mountPath: /host/etc/cni/net.d + name: host-cni-conf + - mountPath: /host/opt/cni/bin + name: host-cni-bin + - mountPath: /lib/modules + name: host-lib-modules + readOnly: true + - mountPath: /var/run/antrea + name: host-var-run-antrea + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + serviceAccountName: antrea-agent + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - configMap: + name: antrea-config-2k4k228tc7 + name: antrea-config + - hostPath: + path: /etc/cni/net.d + name: host-cni-conf + - hostPath: + path: /opt/cni/bin + name: host-cni-bin + - hostPath: + path: /proc + name: host-proc + - hostPath: + path: /var/run/netns + name: host-var-run-netns + - hostPath: + path: /var/run/antrea + type: DirectoryOrCreate + name: host-var-run-antrea + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea + - hostPath: + path: /lib/modules + name: host-lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + updateStrategy: + type: RollingUpdate +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha3 + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/externalippool + name: externalippoolvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - UPDATE + resources: + - externalippools + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/egress + name: egressvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - egresses + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/ippool + name: ippoolvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - UPDATE + - DELETE + resources: + - ippools + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - core.antrea.tanzu.vmware.com + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 diff --git a/addons/antrea/1.4.0/kubeadm.yaml b/addons/antrea/1.4.0/kubeadm.yaml new file mode 100644 index 0000000000..5fa4ffb370 --- /dev/null +++ b/addons/antrea/1.4.0/kubeadm.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kubeadm.k8s.io/v1beta2 +kind: ClusterConfiguration +metadata: + name: kubeadm-cluster-configuration +networking: + podSubnet: $POD_CIDR diff --git a/addons/antrea/1.4.0/kustomization.yaml b/addons/antrea/1.4.0/kustomization.yaml new file mode 100644 index 0000000000..2949157786 --- /dev/null +++ b/addons/antrea/1.4.0/kustomization.yaml @@ -0,0 +1 @@ +resources: diff --git a/addons/antrea/1.4.0/plaintext.yaml b/addons/antrea/1.4.0/plaintext.yaml new file mode 100644 index 0000000000..a741f09abb --- /dev/null +++ b/addons/antrea/1.4.0/plaintext.yaml @@ -0,0 +1,5058 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - laai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - aai + singular: antreaagentinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: .agentConditions[?(@.type=='AgentHealthy')].status + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: .agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: .version + name: Version + priority: 1 + type: string + - description: Node on which this Agent is running + jsonPath: .nodeRef.name + name: Node + priority: 1 + type: string + - description: Number of local Pods managed by this Agent + jsonPath: .localPodNum + name: Num Pods + priority: 2 + type: integer + - description: Subnets used by this Agent for Pod IPAM + jsonPath: .nodeSubnets + name: Subnets + priority: 2 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - laci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - aci + singular: antreacontrollerinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].status + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: .version + name: Version + priority: 1 + type: string + - description: Number of Agents connected to the Controller + jsonPath: .connectedAgentNum + name: Connected Agents + priority: 1 + type: integer + - description: Node on which the Controller is running + jsonPath: .nodeRef.name + name: Node + priority: 1 + type: string + - description: Number of Network Policies computed by Controller + jsonPath: .networkPolicyControllerInfo.networkPolicyNum + name: Num Network Policies + priority: 2 + type: integer + name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - lcg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.crd.antrea.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/clustergroup + conversionReviewVersions: + - v1 + - v1beta1 + group: crd.antrea.io + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - cg + singular: clustergroup + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: false + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - acnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + fqdn: + type: string + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - lacnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + externalIPPool: + type: string + required: + - appliedTo + type: object + status: + properties: + egressNode: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - lee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalIPPool + plural: externalippools + shortNames: + - eip + singular: externalippool + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + type: object + type: array + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - ipRanges + - nodeSelector + type: object + status: + properties: + usage: + properties: + total: + type: integer + used: + type: integer + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: ippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: IPPool + plural: ippools + shortNames: + - ipp + singular: ippool + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + vlan: + type: string + type: object + type: array + ipVersion: + type: integer + required: + - ipVersion + - ipRanges + type: object + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + containerID: + type: string + name: + type: string + namespace: + type: string + type: object + type: object + phase: + type: string + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + fqdn: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - lanp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: Tier + plural: tiers + shortNames: + - ltr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - description: Trace live traffic. + jsonPath: .spec.liveTraffic + name: Live-Traffic + priority: 10 + type: boolean + - description: Capture only the dropped packet. + jsonPath: .spec.droppedOnly + name: Dropped-Only + priority: 10 + type: boolean + - description: Timeout in seconds. + jsonPath: .spec.timeout + name: Timeout + priority: 10 + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + droppedOnly: + type: boolean + liveTraffic: + type: boolean + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + type: object + timeout: + type: integer + type: object + status: + properties: + capturedPacket: + properties: + dstIP: + type: string + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + length: + type: integer + srcIP: + type: string + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.ops.antrea.tanzu.vmware.com +spec: + group: ops.antrea.tanzu.vmware.com + names: + kind: Traceflow + plural: traceflows + shortNames: + - ltf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + namespace: + type: string + pod: + type: string + required: + - pod + - namespace + type: object + required: + - source + type: object + status: + properties: + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.tanzu.vmware.com + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + - /featuregates + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + - namespaces + verbs: + - get + - watch + - list +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - ops.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - egresses/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - ippools/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-cluster-identity-reader +rules: +- apiGroups: + - "" + resourceNames: + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - pods + - namespaces + - services + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1beta1.networking.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + resources: + - apiservices + verbs: + - delete +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - crdmutator.antrea.tanzu.vmware.com + - crdvalidator.antrea.tanzu.vmware.com + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - update + - patch +- apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - externalippools/status + verbs: + - update +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # Enable flexible IPAM mode for Antrea. This mode allows to assign IP Ranges to Namespaces, + # Deployments and StatefulSets via IP Pool annotation. + # AntreaIPAM: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + #ovsBridge: br-int + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + #hostGateway: antrea-gw0 + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + #trafficEncapMode: encap + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + #noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, + # this option will not take effect. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + #tunnelType: geneve + + # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. + # It has the following options: + # - none (default): Inter-node Pod traffic will not be encrypted. + # - ipsec: Enable IPSec (ESP) encryption for Pod traffic across Nodes. Antrea uses + # Preshared Key (PSK) for IKE authentication. When IPSec tunnel is enabled, + # the PSK value must be passed to Antrea Agent through an environment + # variable: ANTREA_IPSEC_PSK. + # - wireGuard: Enable WireGuard for tunnel traffic encryption. + #trafficEncryptionMode: none + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + #defaultMTU: 0 + + # wireGuard specifies WireGuard related configurations. + wireGuard: + # The port for WireGuard to receive traffic. + # port: 51820 + + egress: + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + # exceptCIDRs: [] + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + #serviceCIDR: 10.96.0.0/12 + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + #serviceCIDRv6: + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + #apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #activeFlowExportTimeout: "30s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #idleFlowExportTimeout: "15s" + + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + # enable: false + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + # portRange: 61000-62000 + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + #kubeAPIServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + + # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. + # If there are multiple IP addresses configured on the interface, the first one is used. The IP + # address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + #transportInterface: + + # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across + # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The + # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + #transportInterfaceCIDRs: [,] + + # Option antreaProxy contains AntreaProxy related configuration options. + antreaProxy: + # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, + # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy + # feature to be enabled. + # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access + # apiserver directly. + #proxyAll: false + # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. + # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. + # Note that the option is only valid when proxyAll is true. + #nodePortAddresses: [] + # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these + # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name + # with Namespace (e.g. kube-system/kube-dns) + #skipServices: [] + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + }, + { + "type": "portmap", + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # Run Kubernetes NodeIPAMController with Antrea. + # NodeIPAM: false + + # Enable flexible IPAM mode for Antrea. This mode allows to assign IP Ranges to Namespaces, + # Deployments and StatefulSets via IP Pool annotation. + # AntreaIPAM: false + # + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + #apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the + # antrea-controller container. + #selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + + # If Antrea is upgraded from version <= v0.13 and legacy CRDs are used, this option should be + # enabled, otherwise the CRDs created with the legacy API groups will not take any effect and + # work as expected. When the mirroring is enabled, if a legacy CRD is created with legacy API + # groups, mirroring-controller will create a new CRD with the Spec and Labels from the legacy + # CRD. Afterwards, the modification of Spec and Label in legacy CRD will be synchronized to new + # CRD automatically. In addition, the modification of Status in new CRD will also be synchronized + # to legacy CRD automatically. If a legacy CRD is deleted, the corresponding new CRD will be deleted. + # Note that: to decouple a new CRD from the corresponding legacy CRD, the legacy CRD should be + # annotated with "crd.antrea.io/stop-mirror". Afterwards, updates to the legacy CRDs will no + # longer be reflected in the new CRD, and all CRUD operations should be done through the new + # API groups. After adding the annotation, legacy CRDs can be deleted safely without impacting + # new CRDs. + #legacyCRDMirroring: true + + nodeIPAM: + # Enable the integrated Node IPAM controller within the Antrea controller. + # enableNodeIPAM: false + + # CIDR Ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. Value ignored when enableNodeIPAM is false. + # clusterCIDRs: [] + + # CIDR Ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + # serviceCIDR: + # serviceCIDRv6: + + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + # nodeCIDRMaskSizeIPv4: 24 + + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + # nodeCIDRMaskSizeIPv6: 64 +kind: ConfigMap +metadata: + annotations: {} + labels: + app: antrea + name: antrea-config-ckdtm6hc68 + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: antrea + name: antrea + namespace: kube-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: api + selector: + app: antrea + component: antrea-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: antrea + component: antrea-controller + name: antrea-controller + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: antrea + component: antrea-controller + strategy: + type: Recreate + template: + metadata: + labels: + app: antrea + component: antrea-controller + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-controller.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ANTREA_CONFIG_MAP_NAME + value: antrea-config-ckdtm6hc68 + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.4.0 + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-controller + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + volumeMounts: + - mountPath: /etc/antrea/antrea-controller.conf + name: antrea-config + readOnly: true + subPath: antrea-controller.conf + - mountPath: /var/run/antrea/antrea-controller-tls + name: antrea-controller-tls + - mountPath: /var/log/antrea + name: host-var-log-antrea + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: antrea-controller + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - configMap: + name: antrea-config-ckdtm6hc68 + name: antrea-config + - name: antrea-controller-tls + secret: + defaultMode: 256 + optional: true + secretName: antrea-controller-tls + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.io +spec: + group: stats.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.tanzu.vmware.com +spec: + group: stats.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.io +spec: + group: system.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.tanzu.vmware.com +spec: + group: system.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.io +spec: + group: controlplane.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: antrea + component: antrea-agent + name: antrea-agent + namespace: kube-system +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: antrea-agent + labels: + app: antrea + component: antrea-agent + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-agent.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-agent + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.4.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-agent + ports: + - containerPort: 10350 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 8 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + securityContext: + privileged: true + volumeMounts: + - mountPath: /etc/antrea/antrea-agent.conf + name: antrea-config + readOnly: true + subPath: antrea-agent.conf + - mountPath: /var/run/antrea + name: host-var-run-antrea + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/lib/cni + name: host-var-run-antrea + subPath: cni + - mountPath: /var/log/antrea + name: host-var-log-antrea + - mountPath: /host/proc + name: host-proc + readOnly: true + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: host-var-run-netns + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - args: + - --log_file_max_size=100 + - --log_file_max_num=4 + command: + - start_ovs + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.4.0 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + name: antrea-ovs + resources: + requests: + cpu: 200m + securityContext: + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + initContainers: + - command: + - install_cni + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.4.0 + name: install-cni + resources: + requests: + cpu: 100m + securityContext: + capabilities: + add: + - SYS_MODULE + volumeMounts: + - mountPath: /etc/antrea/antrea-cni.conflist + name: antrea-config + readOnly: true + subPath: antrea-cni.conflist + - mountPath: /host/etc/cni/net.d + name: host-cni-conf + - mountPath: /host/opt/cni/bin + name: host-cni-bin + - mountPath: /lib/modules + name: host-lib-modules + readOnly: true + - mountPath: /var/run/antrea + name: host-var-run-antrea + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + serviceAccountName: antrea-agent + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - configMap: + name: antrea-config-ckdtm6hc68 + name: antrea-config + - hostPath: + path: /etc/cni/net.d + name: host-cni-conf + - hostPath: + path: /opt/cni/bin + name: host-cni-bin + - hostPath: + path: /proc + name: host-proc + - hostPath: + path: /var/run/netns + name: host-var-run-netns + - hostPath: + path: /var/run/antrea + type: DirectoryOrCreate + name: host-var-run-antrea + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea + - hostPath: + path: /lib/modules + name: host-lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + updateStrategy: + type: RollingUpdate +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha3 + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/externalippool + name: externalippoolvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - UPDATE + resources: + - externalippools + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/egress + name: egressvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - egresses + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/ippool + name: ippoolvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - UPDATE + - DELETE + resources: + - ippools + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - core.antrea.tanzu.vmware.com + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 diff --git a/addons/antrea/categories.json b/addons/antrea/categories.json new file mode 100644 index 0000000000..9a3b0d0cb0 --- /dev/null +++ b/addons/antrea/categories.json @@ -0,0 +1,6 @@ +{ + "name": "antrea", + "fulfills": ["CNI Plugin"], + "requires": ["Container Runtime"], + "recommends": [] +} diff --git a/addons/antrea/template/base/Manifest b/addons/antrea/template/base/Manifest new file mode 100644 index 0000000000..1144788086 --- /dev/null +++ b/addons/antrea/template/base/Manifest @@ -0,0 +1,3 @@ +image antrea-ubuntu projects.registry.vmware.com/antrea/antrea-ubuntu:v__ANTREA_VERSION__ + +asset antctl https://github.com/vmware-tanzu/antrea/releases/download/v__ANTREA_VERSION__/antctl-Linux-x86_64 diff --git a/addons/antrea/template/base/install.sh b/addons/antrea/template/base/install.sh new file mode 100644 index 0000000000..51fc3d64e8 --- /dev/null +++ b/addons/antrea/template/base/install.sh @@ -0,0 +1,113 @@ +# shellcheck disable=SC2148 + +function antrea_pre_init() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + + POD_CIDR="$ANTREA_POD_CIDR" + POD_CIDR_RANGE="$ANTREA_POD_CIDR_RANGE" + + cp "$src/kubeadm.yaml" "$DIR/kustomize/kubeadm/init-patches/antrea.yaml" + + if commandExists kubectl; then + EXISTING_POD_CIDR=$(kubectl -n kube-system get cm kubeadm-config -oyaml 2>/dev/null | grep podSubnet | awk '{ print $NF }') + fi + + # Encryption uses wireGuard, which does not require the 3rd + # ipsec container in the antrea-agent daemonset. + if [ ! "$ANTREA_DISABLE_ENCRYPTION" = "1" ] && ! modprobe wireguard; then + bail "Antrea with inter-node encryption enabled requires the wireguard kernel module be available. https://www.wireguard.com/install/" + fi +} + +function antrea() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + local dst="$DIR/kustomize/antrea" + + if antrea_weave_conflict; then + printf "${YELLOW}Cannot migrate from weave to antrea${NC}\n" + return 0 + fi + + if ! lsmod | grep ip_tables; then + modprobe ip_tables + echo 'ip_tables' > /etc/modules-load.d/kurl-antrea.conf + fi + if [ "$IPV6_ONLY" = "1" ]; then + modprobe ip6_tables + echo 'ip6_tables' > /etc/modules-load.d/kurl-antrea.conf + fi + + + cp "$src/kustomization.yaml" "$dst/" + + if [ "$ANTREA_DISABLE_ENCRYPTION" = "1" ]; then + cp "$src/plaintext.yaml" "$dst/" + insert_resources "$dst/kustomization.yaml" plaintext.yaml + if [ "$IPV6_ONLY" = "1" ]; then + sed -i "/#serviceCIDRv6:.*/a\ serviceCIDRv6: $SERVICE_CIDR" "$dst/plaintext.yaml" + fi + else + + if [ "$IPV6_ONLY" = "1" ]; then + cp "$src/plaintext.yaml" "$dst/" + insert_resources "$dst/kustomization.yaml" plaintext.yaml + sed -i "/#serviceCIDRv6:.*/a\ serviceCIDRv6: $SERVICE_CIDR" "$dst/plaintext.yaml" + sed -i "/#trafficEncryptionMode:.*/a\ trafficEncryptionMode: wireGuard" "$dst/plaintext.yaml" + else + cp "$src/ipsec.yaml" "$dst/" + insert_resources "$dst/kustomization.yaml" ipsec.yaml + + ANTREA_IPSEC_PSK=$(kubernetes_secret_value kube-system antrea-ipsec psk) + if [ -z "$ANTREA_IPSEC_PSK" ]; then + ANTREA_IPSEC_PSK=$(< /dev/urandom tr -dc A-Za-z0-9 | head -c9) + fi + render_yaml_file "$src/ipsec-psk.yaml" > "$dst/ipsec-psk.yaml" + insert_patches_strategic_merge "$dst/kustomization.yaml" ipsec-psk.yaml + fi + fi + + kubectl apply -k $dst + + antrea_cli + + check_network +} + +function antrea_join() { + if ! lsmod | grep ip_tables; then + modprobe ip_tables + echo 'ip_tables' > /etc/modules-load.d/kurl-antrea.conf + fi + if [ "$IPV6_ONLY" = "1" ]; then + modprobe ip6_tables + echo 'ip6_tables' > /etc/modules-load.d/kurl-antrea.conf + fi + + if kubernetes_is_master; then + antrea_cli + fi +} + +function antrea_cli() { + local src="$DIR/addons/antrea/$ANTREA_VERSION" + + # github.com has no AAAA records as of 12/6/21 + if [ ! -f "$src/assets/antctl" ] && [ "$AIRGAP" != "1" ]; then + if [ "$IPV6_ONLY" = "1" ]; then + return 0 + fi + mkdir -p "$src/assets" + curl -L --fail "https://github.com/vmware-tanzu/antrea/releases/download/v${ANTREA_VERSION}/antctl-Linux-x86_64" > "$src/assets/antctl" + fi + + chmod +x "$src/assets/antctl" + # put it in the same directory as kubectl since that's always on the path + cp "$src/assets/antctl" "$(dirname $(which kubectl))/" +} + +function antrea_weave_conflict() { + if [ -f /etc/cni/net.d/10-weave.conflist ]; then + return 0 + fi + return 1 +} diff --git a/addons/antrea/template/base/ipsec-psk.yaml b/addons/antrea/template/base/ipsec-psk.yaml new file mode 100644 index 0000000000..8f73207965 --- /dev/null +++ b/addons/antrea/template/base/ipsec-psk.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: antrea-ipsec + namespace: kube-system +stringData: + psk: $ANTREA_IPSEC_PSK diff --git a/addons/antrea/template/base/kubeadm.yaml b/addons/antrea/template/base/kubeadm.yaml new file mode 100644 index 0000000000..5fa4ffb370 --- /dev/null +++ b/addons/antrea/template/base/kubeadm.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kubeadm.k8s.io/v1beta2 +kind: ClusterConfiguration +metadata: + name: kubeadm-cluster-configuration +networking: + podSubnet: $POD_CIDR diff --git a/addons/antrea/template/base/kustomization.yaml b/addons/antrea/template/base/kustomization.yaml new file mode 100644 index 0000000000..2949157786 --- /dev/null +++ b/addons/antrea/template/base/kustomization.yaml @@ -0,0 +1 @@ +resources: diff --git a/addons/antrea/template/generate.sh b/addons/antrea/template/generate.sh new file mode 100755 index 0000000000..43800b5a0e --- /dev/null +++ b/addons/antrea/template/generate.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +set -euo pipefail + +VERSION= +function get_latest_version() { + # semver sort + VERSION=$(curl -s https://api.github.com/repos/antrea-io/antrea/releases | \ + grep '"tag_name": ' | \ + grep -Eo "[0-9]+\.[0-9]+\.[0-9]+" | \ + sed '/-/!{s/$/_/}' | sort -Vr | sed 's/_$//' | \ + head -1) +} + +function add_as_latest() { + sed -i "/cron-antrea-update/a\ \"${VERSION}\"\," ../../../web/src/installers/versions.js +} + +function generate() { + local dir="../${VERSION}" + if [ -d "$dir" ]; then + echo "Antrea ${VERSION} add-on already exists" + fi + mkdir -p "$dir" + + cp -r base/* "$dir/" + sed -i "s/__ANTREA_VERSION__/$VERSION/g" "../$VERSION/Manifest" + + curl -L --fail https://github.com/vmware-tanzu/antrea/releases/download/v${VERSION}/antrea.yml > "$dir/plaintext.yaml" + curl -L --fail https://github.com/vmware-tanzu/antrea/releases/download/v${VERSION}/antrea-ipsec.yml > "$dir/ipsec.yaml" +} + +function main() { + get_latest_version + + if [ -d "../$VERSION" ]; then + echo "Antrea ${VERSION} add-on already exists" + exit 0 + fi + + generate + + add_as_latest + + echo "antrea_version=$VERSION" >> "$GITHUB_OUTPUT" +} + +main "$@" diff --git a/addons/antrea/template/testgrid/tests.yaml b/addons/antrea/template/testgrid/tests.yaml new file mode 100644 index 0000000000..2d3fdee20d --- /dev/null +++ b/addons/antrea/template/testgrid/tests.yaml @@ -0,0 +1,66 @@ +- name: rook and kotsadm + installerSpec: + kubernetes: + version: "latest" + rook: + version: "latest" + containerd: + version: "latest" + kotsadm: + version: "latest" + antrea: + version: "__testver__" + s3Override: "__testdist__" + +- name: openebs and kotsadm airgap + airgap: true + installerSpec: + kubernetes: + version: "latest" + openebs: + version: "3.2.x" + isLocalPVEnabled: true + localPVStorageClassName: default + minio: + version: "latest" + containerd: + version: "latest" + kotsadm: + version: "latest" + antrea: + version: "__testver__" + s3Override: "__testdist__" + preInstallScript: | + source /opt/kurl-testgrid/testhelpers.sh + rhel_9_install_host_packages lvm2 conntrack-tools socat container-selinux git + +- name: openebs and kotsadm upgrade + installerSpec: + kubernetes: + version: "latest" + openebs: + version: "3.2.x" + isLocalPVEnabled: true + localPVStorageClassName: default + containerd: + version: "latest" + minio: + version: "2020-01-25T02-50-51Z" + antrea: + version: "latest" + upgradeSpec: + kubernetes: + version: "latest" + openebs: + version: "3.2.x" + isLocalPVEnabled: true + localPVStorageClassName: default + containerd: + version: "latest" + minio: + version: "latest" + kotsadm: + version: "latest" + antrea: + version: "__testver__" + s3Override: "__testdist__" diff --git a/addons/aws/0.0.1/Manifest b/addons/aws/0.0.1/Manifest new file mode 100644 index 0000000000..e69de29bb2 diff --git a/addons/aws/0.0.1/install.sh b/addons/aws/0.0.1/install.sh new file mode 100644 index 0000000000..65948ce004 --- /dev/null +++ b/addons/aws/0.0.1/install.sh @@ -0,0 +1,22 @@ + +function aws() { + cp "$DIR/addons/aws/0.0.1/kustomization.yaml" "$DIR/kustomize/aws/kustomization.yaml" + cp "$DIR/addons/aws/0.0.1/storageclass.yaml" "$DIR/kustomize/aws/storageclass.yaml" + + kubectl apply -k "$DIR/kustomize/aws/" +} + +function aws_pre_init() { + set_node_name + cp "$DIR/addons/aws/0.0.1/kubeadm-cluster-config-v1beta2.yml" "$DIR/kustomize/kubeadm/init-patches/aws-kubeadm-cluster-config-v1beta2.yml" + cp "$DIR/addons/aws/0.0.1/kubeadm-init-config-v1beta2.yml" "$DIR/kustomize/kubeadm/init-patches/aws-kubeadm-init-config-v1beta2.yml" +} + +function aws_join() { + set_node_name + cp "$DIR/addons/aws/0.0.1/kubeadm-join-config-v1beta2.yaml" "$DIR/kustomize/kubeadm/join-patches/aws-kubeadm-join-config-v1beta2.yaml" +} + +function set_node_name() { + NODE_NAME="$(hostname -f)" +} diff --git a/addons/aws/0.0.1/kubeadm-cluster-config-v1beta2.yml b/addons/aws/0.0.1/kubeadm-cluster-config-v1beta2.yml new file mode 100644 index 0000000000..81455cd11f --- /dev/null +++ b/addons/aws/0.0.1/kubeadm-cluster-config-v1beta2.yml @@ -0,0 +1,17 @@ +--- +apiVersion: kubeadm.k8s.io/v1beta2 +kind: ClusterConfiguration +metadata: + name: kubeadm-cluster-configuration +networking: + podSubnet: $POD_CIDR + serviceSubnet: $SERVICE_CIDR +apiServer: + extraArgs: + cloud-provider: aws + enable-admission-plugins: DefaultStorageClass +controllerManager: + extraArgs: + cloud-provider: aws + configure-cloud-routes: '"true"' + address: 0.0.0.0 diff --git a/addons/aws/0.0.1/kubeadm-init-config-v1beta2.yml b/addons/aws/0.0.1/kubeadm-init-config-v1beta2.yml new file mode 100644 index 0000000000..e2348fc637 --- /dev/null +++ b/addons/aws/0.0.1/kubeadm-init-config-v1beta2.yml @@ -0,0 +1,10 @@ +--- +apiVersion: kubeadm.k8s.io/v1beta2 +kind: InitConfiguration +metadata: + name: kubeadm-init-configuration +nodeRegistration: + name: $NODE_NAME + kubeletExtraArgs: + node-ip: $PRIVATE_ADDRESS + cloud-provider: aws diff --git a/addons/aws/0.0.1/kubeadm-join-config-v1beta2.yaml b/addons/aws/0.0.1/kubeadm-join-config-v1beta2.yaml new file mode 100644 index 0000000000..5f6cd9aecb --- /dev/null +++ b/addons/aws/0.0.1/kubeadm-join-config-v1beta2.yaml @@ -0,0 +1,10 @@ +--- +kind: JoinConfiguration +apiVersion: kubeadm.k8s.io/v1beta2 +metadata: + name: kubeadm-join-configuration +nodeRegistration: + name: $NODE_NAME + kubeletExtraArgs: + node-ip: $PRIVATE_ADDRESS + cloud-provider: aws diff --git a/addons/aws/0.0.1/kustomization.yaml b/addons/aws/0.0.1/kustomization.yaml new file mode 100644 index 0000000000..12691c83ec --- /dev/null +++ b/addons/aws/0.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- storageclass.yaml diff --git a/addons/aws/0.0.1/storageclass.yaml b/addons/aws/0.0.1/storageclass.yaml new file mode 100644 index 0000000000..b2045b6755 --- /dev/null +++ b/addons/aws/0.0.1/storageclass.yaml @@ -0,0 +1,9 @@ +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: aws-ebs + annotations: + storageclass.kubernetes.io/is-default-class: "true" +provisioner: kubernetes.io/aws-ebs +volumeBindingMode: Immediate +reclaimPolicy: Retain diff --git a/addons/aws/0.1.0/Manifest b/addons/aws/0.1.0/Manifest new file mode 100644 index 0000000000..e69de29bb2 diff --git a/addons/aws/0.1.0/install.sh b/addons/aws/0.1.0/install.sh new file mode 100644 index 0000000000..f830d6b054 --- /dev/null +++ b/addons/aws/0.1.0/install.sh @@ -0,0 +1,41 @@ + +function aws() { + + local dst="$DIR/kustomize/aws" + cp "$DIR/addons/aws/0.1.0/kustomization.yaml" "$DIR/kustomize/aws/kustomization.yaml" + cp "$DIR/addons/aws/0.1.0/storageclass.yaml" "$DIR/kustomize/aws/storageclass.yaml" + + if [ "$AWS_EXCLUDE_STORAGE_CLASS" != "1" ]; then + insert_resources "$dst/kustomization.yaml" storageclass.yaml + fi + + if [ -s "$DIR/kustomize/aws/kustomization.yaml" ]; then + kubectl apply -k "$DIR/kustomize/aws/" + else + echo "Nothing to apply" + fi + +} + +function aws_pre_init() { + verify_node_name + cp "$DIR/addons/aws/0.1.0/kubeadm-cluster-config-v1beta2.yml" "$DIR/kustomize/kubeadm/init-patches/aws-kubeadm-cluster-config-v1beta2.yml" + cp "$DIR/addons/aws/0.1.0/kubeadm-init-config-v1beta2.yml" "$DIR/kustomize/kubeadm/init-patches/aws-kubeadm-init-config-v1beta2.yml" +} + +function aws_join() { + verify_node_name + cp "$DIR/addons/aws/0.1.0/kubeadm-join-config-v1beta2.yaml" "$DIR/kustomize/kubeadm/join-patches/aws-kubeadm-join-config-v1beta2.yaml" +} + +function verify_node_name() { + if [ "$(hostname -f)" != "$(hostname)" ]; then + logFail "Its important that the name of the Node matches the private DNS entry for the instance in EC2." + logFail "You can use hostnamectl to set the instance hostname to the FQDN that matches the EC2 private DNS entry." + logFail "Hostname $(hostname) is different from fqdn $(hostname -f)" + printf "Continue? " + if ! confirmN ; then + bail "aws addon install is aborted." + fi + fi +} diff --git a/addons/aws/0.1.0/kubeadm-cluster-config-v1beta2.yml b/addons/aws/0.1.0/kubeadm-cluster-config-v1beta2.yml new file mode 100644 index 0000000000..e055632ccf --- /dev/null +++ b/addons/aws/0.1.0/kubeadm-cluster-config-v1beta2.yml @@ -0,0 +1,12 @@ +--- +apiVersion: kubeadm.k8s.io/v1beta2 +kind: ClusterConfiguration +metadata: + name: kubeadm-cluster-configuration +apiServer: + extraArgs: + cloud-provider: aws + enable-admission-plugins: DefaultStorageClass +controllerManager: + extraArgs: + cloud-provider: aws diff --git a/addons/aws/0.1.0/kubeadm-init-config-v1beta2.yml b/addons/aws/0.1.0/kubeadm-init-config-v1beta2.yml new file mode 100644 index 0000000000..a43ccf73bb --- /dev/null +++ b/addons/aws/0.1.0/kubeadm-init-config-v1beta2.yml @@ -0,0 +1,8 @@ +--- +apiVersion: kubeadm.k8s.io/v1beta2 +kind: InitConfiguration +metadata: + name: kubeadm-init-configuration +nodeRegistration: + kubeletExtraArgs: + cloud-provider: aws diff --git a/addons/aws/0.1.0/kubeadm-join-config-v1beta2.yaml b/addons/aws/0.1.0/kubeadm-join-config-v1beta2.yaml new file mode 100644 index 0000000000..b7608f0f78 --- /dev/null +++ b/addons/aws/0.1.0/kubeadm-join-config-v1beta2.yaml @@ -0,0 +1,8 @@ +--- +kind: JoinConfiguration +apiVersion: kubeadm.k8s.io/v1beta2 +metadata: + name: kubeadm-join-configuration +nodeRegistration: + kubeletExtraArgs: + cloud-provider: aws diff --git a/addons/aws/0.1.0/kustomization.yaml b/addons/aws/0.1.0/kustomization.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/addons/aws/0.1.0/storageclass.yaml b/addons/aws/0.1.0/storageclass.yaml new file mode 100644 index 0000000000..b2045b6755 --- /dev/null +++ b/addons/aws/0.1.0/storageclass.yaml @@ -0,0 +1,9 @@ +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: aws-ebs + annotations: + storageclass.kubernetes.io/is-default-class: "true" +provisioner: kubernetes.io/aws-ebs +volumeBindingMode: Immediate +reclaimPolicy: Retain diff --git a/addons/aws/categories.json b/addons/aws/categories.json new file mode 100644 index 0000000000..7822eb4f7f --- /dev/null +++ b/addons/aws/categories.json @@ -0,0 +1,7 @@ +{ + "name": "aws", + "fulfills": ["Cloud Provider"], + "requires": [], + "recommends": [] + } + \ No newline at end of file diff --git a/web/src/installers/versions.js b/web/src/installers/versions.js index 5ec21d838f..dd6c232a87 100644 --- a/web/src/installers/versions.js +++ b/web/src/installers/versions.js @@ -164,6 +164,16 @@ module.exports.InstallerVersions = { "2.8.1", "2.7.0", ], + antrea: [ + // cron-antrea-update + "1.4.0", + "1.2.1", + "1.2.0", + "1.1.0", + "1.0.1", + "1.0.0", + "0.13.1", + ], flannel: [ // cron-flannel-update "0.22.2", @@ -589,4 +599,7 @@ module.exports.InstallerVersions = { "3.2.0-4.2.1", "3.2.0-4.1.1", ], + aws: [ + "0.1.0", + ], };