From 2288dd2f6ba2ef2789b7b914c0acc06952fc8621 Mon Sep 17 00:00:00 2001 From: minikube-bot Date: Tue, 24 May 2022 23:34:18 +0000 Subject: [PATCH 1/3] fix NetCatPod test --- test/integration/net_test.go | 2 +- test/integration/testdata/romana.yaml | 402 ++++++++++++++++++++++++ test/integration/testdata/weavenet.yaml | 255 --------------- 3 files changed, 403 insertions(+), 256 deletions(-) create mode 100644 test/integration/testdata/romana.yaml delete mode 100644 test/integration/testdata/weavenet.yaml diff --git a/test/integration/net_test.go b/test/integration/net_test.go index 834c5e9097..12b14267dc 100644 --- a/test/integration/net_test.go +++ b/test/integration/net_test.go @@ -61,7 +61,7 @@ func TestNetworkPlugins(t *testing.T) { {"flannel", []string{"--cni=flannel"}, "cni", "app=flannel", true}, {"kindnet", []string{"--cni=kindnet"}, "cni", "app=kindnet", true}, {"false", []string{"--cni=false"}, "", "", false}, - {"custom-weave", []string{fmt.Sprintf("--cni=%s", filepath.Join(*testdataDir, "weavenet.yaml"))}, "cni", "", true}, + {"custom-romana", []string{fmt.Sprintf("--cni=%s", filepath.Join(*testdataDir, "romana.yaml"))}, "cni", "", true}, {"calico", []string{"--cni=calico"}, "cni", "k8s-app=calico-node", true}, {"cilium", []string{"--cni=cilium"}, "cni", "k8s-app=cilium", true}, } diff --git a/test/integration/testdata/romana.yaml b/test/integration/testdata/romana.yaml new file mode 100644 index 0000000000..f28c54a00f --- /dev/null +++ b/test/integration/testdata/romana.yaml @@ -0,0 +1,402 @@ +apiVersion: v1 +items: +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: romana-listener + rules: + - apiGroups: + - '*' + resources: + - pods + - namespaces + - nodes + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - networkpolicies + verbs: + - get + - list + - watch + - apiGroups: + - '*' + resources: + - services + verbs: + - update + - list + - watch +- apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + name: romana-listener + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: romana-listener + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: romana-listener + subjects: + - kind: ServiceAccount + name: romana-listener + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: romana-agent + rules: + - apiGroups: + - '*' + resources: + - pods + - nodes + verbs: + - get +- apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + name: romana-agent + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: romana-agent + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: romana-agent + subjects: + - kind: ServiceAccount + name: romana-agent + namespace: kube-system +- apiVersion: v1 + kind: Service + metadata: + creationTimestamp: null + name: romana-etcd + namespace: kube-system + spec: + clusterIP: 10.96.0.88 + internalTrafficPolicy: Cluster + ports: + - name: etcd + port: 12379 + protocol: TCP + targetPort: 12379 + selector: + romana-app: etcd + sessionAffinity: None + type: ClusterIP + status: + loadBalancer: {} +- apiVersion: apps/v1 + kind: Deployment + metadata: + creationTimestamp: null + labels: + romana-app: etcd + name: romana-etcd + namespace: kube-system + spec: + progressDeadlineSeconds: 2147483647 + replicas: 1 + revisionHistoryLimit: 2147483647 + selector: + matchLabels: + romana-app: etcd + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + romana-app: etcd + spec: + containers: + - command: + - etcd + - --listen-client-urls=http://0.0.0.0:12379 + - --listen-peer-urls=http://127.0.0.1:12380 + - --advertise-client-urls=http://10.96.0.88:12379 + - --data-dir=/var/etcd/data + image: gcr.io/google_containers/etcd-amd64:3.0.17 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + host: 127.0.0.1 + path: /health + port: 12379 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 15 + name: romana-etcd + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /var/etcd/data + name: etcd-data + dnsPolicy: ClusterFirst + hostNetwork: true + nodeSelector: + node-role.kubernetes.io/master: "" + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + seLinuxOptions: + type: spc_t + terminationGracePeriodSeconds: 30 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node.kubernetes.io/not-ready + volumes: + - hostPath: + path: /var/lib/romana/etcd-db + type: "" + name: etcd-data + status: {} +- apiVersion: v1 + kind: Service + metadata: + creationTimestamp: null + name: romana + namespace: kube-system + spec: + clusterIP: 10.96.0.99 + internalTrafficPolicy: Cluster + ports: + - name: daemon + port: 9600 + protocol: TCP + targetPort: 9600 + selector: + romana-app: daemon + sessionAffinity: None + type: ClusterIP + status: + loadBalancer: {} +- apiVersion: apps/v1 + kind: Deployment + metadata: + creationTimestamp: null + labels: + romana-app: daemon + name: romana-daemon + namespace: kube-system + spec: + progressDeadlineSeconds: 2147483647 + replicas: 1 + revisionHistoryLimit: 2147483647 + selector: + matchLabels: + romana-app: daemon + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + romana-app: daemon + spec: + containers: + - image: quay.io/romana/daemon:v2.0.2 + imagePullPolicy: Always + name: romana-daemon + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + hostNetwork: true + nodeSelector: + node-role.kubernetes.io/master: "" + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node.kubernetes.io/not-ready + status: {} +- apiVersion: apps/v1 + kind: Deployment + metadata: + creationTimestamp: null + labels: + romana-app: listener + name: romana-listener + namespace: kube-system + spec: + progressDeadlineSeconds: 2147483647 + replicas: 1 + revisionHistoryLimit: 2147483647 + selector: + matchLabels: + romana-app: listener + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + romana-app: listener + spec: + containers: + - image: quay.io/romana/listener:v2.0.2 + imagePullPolicy: Always + name: romana-listener + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + hostNetwork: true + nodeSelector: + node-role.kubernetes.io/master: "" + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: romana-listener + serviceAccountName: romana-listener + terminationGracePeriodSeconds: 30 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node.kubernetes.io/not-ready + status: {} +- apiVersion: apps/v1 + kind: DaemonSet + metadata: + annotations: + deprecated.daemonset.template.generation: "0" + creationTimestamp: null + labels: + romana-app: agent + name: romana-agent + namespace: kube-system + spec: + revisionHistoryLimit: 10 + selector: + matchLabels: + romana-app: agent + template: + metadata: + creationTimestamp: null + labels: + romana-app: agent + spec: + containers: + - env: + - name: NODENAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: NODEIP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + image: quay.io/romana/agent:v2.0.2 + imagePullPolicy: Always + name: romana-agent + resources: {} + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /host/usr/local/bin + name: host-usr-local-bin + - mountPath: /host/etc/romana + name: host-etc-romana + - mountPath: /host/opt/cni/bin + name: host-cni-bin + - mountPath: /host/etc/cni/net.d + name: host-cni-net-d + - mountPath: /var/run/romana + name: run-path + - mountPath: /host/etc/rlog + name: host-etc-rlog + dnsPolicy: ClusterFirst + hostNetwork: true + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + seLinuxOptions: + type: spc_t + serviceAccount: romana-agent + serviceAccountName: romana-agent + terminationGracePeriodSeconds: 30 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node.kubernetes.io/not-ready + volumes: + - hostPath: + path: /usr/local/bin + type: "" + name: host-usr-local-bin + - hostPath: + path: /etc/romana + type: "" + name: host-etc-romana + - hostPath: + path: /opt/cni/bin + type: "" + name: host-cni-bin + - hostPath: + path: /etc/cni/net.d + type: "" + name: host-cni-net-d + - hostPath: + path: /var/run/romana + type: "" + name: run-path + - hostPath: + path: /etc/rlog + type: "" + name: host-etc-rlog + updateStrategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: RollingUpdate + status: + currentNumberScheduled: 0 + desiredNumberScheduled: 0 + numberMisscheduled: 0 + numberReady: 0 +kind: List +metadata: {} diff --git a/test/integration/testdata/weavenet.yaml b/test/integration/testdata/weavenet.yaml deleted file mode 100644 index 8918cf2a95..0000000000 --- a/test/integration/testdata/weavenet.yaml +++ /dev/null @@ -1,255 +0,0 @@ -apiVersion: v1 -kind: List -items: - - apiVersion: v1 - kind: ServiceAccount - metadata: - name: weave-net - annotations: - cloud.weave.works/launcher-info: |- - { - "original-request": { - "url": "/k8s/v1.16/net.yaml?k8s-version=Q2xpZW50IFZlcnNpb246IHZlcnNpb24uSW5mb3tNYWpvcjoiMSIsIE1pbm9yOiIxOCIsIEdpdFZlcnNpb246InYxLjE4LjAiLCBHaXRDb21taXQ6IjllOTkxNDE1Mzg2ZTRjZjE1NWEyNGIxZGExNWJlY2FhMzkwNDM4ZDgiLCBHaXRUcmVlU3RhdGU6ImNsZWFuIiwgQnVpbGREYXRlOiIyMDIwLTAzLTI2VDA2OjE2OjE1WiIsIEdvVmVyc2lvbjoiZ28xLjE0IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImRhcndpbi9hbWQ2NCJ9ClNlcnZlciBWZXJzaW9uOiB2ZXJzaW9uLkluZm97TWFqb3I6IjEiLCBNaW5vcjoiMTgiLCBHaXRWZXJzaW9uOiJ2MS4xOC4zIiwgR2l0Q29tbWl0OiIyZTc5OTZlM2UyNzEyNjg0YmM3M2YwZGVjMDIwMGQ2NGVlYzdmZTQwIiwgR2l0VHJlZVN0YXRlOiJjbGVhbiIsIEJ1aWxkRGF0ZToiMjAyMC0wNS0yMFQxMjo0MzozNFoiLCBHb1ZlcnNpb246ImdvMS4xMy45IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImxpbnV4L2FtZDY0In0K", - "date": "Tue Jun 23 2020 02:18:50 GMT+0000 (UTC)" - }, - "email-address": "support@weave.works" - } - labels: - name: weave-net - namespace: kube-system - - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: weave-net - annotations: - cloud.weave.works/launcher-info: |- - { - "original-request": { - "url": "/k8s/v1.16/net.yaml?k8s-version=Q2xpZW50IFZlcnNpb246IHZlcnNpb24uSW5mb3tNYWpvcjoiMSIsIE1pbm9yOiIxOCIsIEdpdFZlcnNpb246InYxLjE4LjAiLCBHaXRDb21taXQ6IjllOTkxNDE1Mzg2ZTRjZjE1NWEyNGIxZGExNWJlY2FhMzkwNDM4ZDgiLCBHaXRUcmVlU3RhdGU6ImNsZWFuIiwgQnVpbGREYXRlOiIyMDIwLTAzLTI2VDA2OjE2OjE1WiIsIEdvVmVyc2lvbjoiZ28xLjE0IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImRhcndpbi9hbWQ2NCJ9ClNlcnZlciBWZXJzaW9uOiB2ZXJzaW9uLkluZm97TWFqb3I6IjEiLCBNaW5vcjoiMTgiLCBHaXRWZXJzaW9uOiJ2MS4xOC4zIiwgR2l0Q29tbWl0OiIyZTc5OTZlM2UyNzEyNjg0YmM3M2YwZGVjMDIwMGQ2NGVlYzdmZTQwIiwgR2l0VHJlZVN0YXRlOiJjbGVhbiIsIEJ1aWxkRGF0ZToiMjAyMC0wNS0yMFQxMjo0MzozNFoiLCBHb1ZlcnNpb246ImdvMS4xMy45IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImxpbnV4L2FtZDY0In0K", - "date": "Tue Jun 23 2020 02:18:50 GMT+0000 (UTC)" - }, - "email-address": "support@weave.works" - } - labels: - name: weave-net - rules: - - apiGroups: - - '' - resources: - - pods - - namespaces - - nodes - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - nodes/status - verbs: - - patch - - update - - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: weave-net - annotations: - cloud.weave.works/launcher-info: |- - { - "original-request": { - "url": "/k8s/v1.16/net.yaml?k8s-version=Q2xpZW50IFZlcnNpb246IHZlcnNpb24uSW5mb3tNYWpvcjoiMSIsIE1pbm9yOiIxOCIsIEdpdFZlcnNpb246InYxLjE4LjAiLCBHaXRDb21taXQ6IjllOTkxNDE1Mzg2ZTRjZjE1NWEyNGIxZGExNWJlY2FhMzkwNDM4ZDgiLCBHaXRUcmVlU3RhdGU6ImNsZWFuIiwgQnVpbGREYXRlOiIyMDIwLTAzLTI2VDA2OjE2OjE1WiIsIEdvVmVyc2lvbjoiZ28xLjE0IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImRhcndpbi9hbWQ2NCJ9ClNlcnZlciBWZXJzaW9uOiB2ZXJzaW9uLkluZm97TWFqb3I6IjEiLCBNaW5vcjoiMTgiLCBHaXRWZXJzaW9uOiJ2MS4xOC4zIiwgR2l0Q29tbWl0OiIyZTc5OTZlM2UyNzEyNjg0YmM3M2YwZGVjMDIwMGQ2NGVlYzdmZTQwIiwgR2l0VHJlZVN0YXRlOiJjbGVhbiIsIEJ1aWxkRGF0ZToiMjAyMC0wNS0yMFQxMjo0MzozNFoiLCBHb1ZlcnNpb246ImdvMS4xMy45IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImxpbnV4L2FtZDY0In0K", - "date": "Tue Jun 23 2020 02:18:50 GMT+0000 (UTC)" - }, - "email-address": "support@weave.works" - } - labels: - name: weave-net - roleRef: - kind: ClusterRole - name: weave-net - apiGroup: rbac.authorization.k8s.io - subjects: - - kind: ServiceAccount - name: weave-net - namespace: kube-system - - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - name: weave-net - annotations: - cloud.weave.works/launcher-info: |- - { - "original-request": { - "url": "/k8s/v1.16/net.yaml?k8s-version=Q2xpZW50IFZlcnNpb246IHZlcnNpb24uSW5mb3tNYWpvcjoiMSIsIE1pbm9yOiIxOCIsIEdpdFZlcnNpb246InYxLjE4LjAiLCBHaXRDb21taXQ6IjllOTkxNDE1Mzg2ZTRjZjE1NWEyNGIxZGExNWJlY2FhMzkwNDM4ZDgiLCBHaXRUcmVlU3RhdGU6ImNsZWFuIiwgQnVpbGREYXRlOiIyMDIwLTAzLTI2VDA2OjE2OjE1WiIsIEdvVmVyc2lvbjoiZ28xLjE0IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImRhcndpbi9hbWQ2NCJ9ClNlcnZlciBWZXJzaW9uOiB2ZXJzaW9uLkluZm97TWFqb3I6IjEiLCBNaW5vcjoiMTgiLCBHaXRWZXJzaW9uOiJ2MS4xOC4zIiwgR2l0Q29tbWl0OiIyZTc5OTZlM2UyNzEyNjg0YmM3M2YwZGVjMDIwMGQ2NGVlYzdmZTQwIiwgR2l0VHJlZVN0YXRlOiJjbGVhbiIsIEJ1aWxkRGF0ZToiMjAyMC0wNS0yMFQxMjo0MzozNFoiLCBHb1ZlcnNpb246ImdvMS4xMy45IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImxpbnV4L2FtZDY0In0K", - "date": "Tue Jun 23 2020 02:18:50 GMT+0000 (UTC)" - }, - "email-address": "support@weave.works" - } - labels: - name: weave-net - namespace: kube-system - rules: - - apiGroups: - - '' - resourceNames: - - weave-net - resources: - - configmaps - verbs: - - get - - update - - apiGroups: - - '' - resources: - - configmaps - verbs: - - create - - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: weave-net - annotations: - cloud.weave.works/launcher-info: |- - { - "original-request": { - "url": "/k8s/v1.16/net.yaml?k8s-version=Q2xpZW50IFZlcnNpb246IHZlcnNpb24uSW5mb3tNYWpvcjoiMSIsIE1pbm9yOiIxOCIsIEdpdFZlcnNpb246InYxLjE4LjAiLCBHaXRDb21taXQ6IjllOTkxNDE1Mzg2ZTRjZjE1NWEyNGIxZGExNWJlY2FhMzkwNDM4ZDgiLCBHaXRUcmVlU3RhdGU6ImNsZWFuIiwgQnVpbGREYXRlOiIyMDIwLTAzLTI2VDA2OjE2OjE1WiIsIEdvVmVyc2lvbjoiZ28xLjE0IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImRhcndpbi9hbWQ2NCJ9ClNlcnZlciBWZXJzaW9uOiB2ZXJzaW9uLkluZm97TWFqb3I6IjEiLCBNaW5vcjoiMTgiLCBHaXRWZXJzaW9uOiJ2MS4xOC4zIiwgR2l0Q29tbWl0OiIyZTc5OTZlM2UyNzEyNjg0YmM3M2YwZGVjMDIwMGQ2NGVlYzdmZTQwIiwgR2l0VHJlZVN0YXRlOiJjbGVhbiIsIEJ1aWxkRGF0ZToiMjAyMC0wNS0yMFQxMjo0MzozNFoiLCBHb1ZlcnNpb246ImdvMS4xMy45IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImxpbnV4L2FtZDY0In0K", - "date": "Tue Jun 23 2020 02:18:50 GMT+0000 (UTC)" - }, - "email-address": "support@weave.works" - } - labels: - name: weave-net - namespace: kube-system - roleRef: - kind: Role - name: weave-net - apiGroup: rbac.authorization.k8s.io - subjects: - - kind: ServiceAccount - name: weave-net - namespace: kube-system - - apiVersion: apps/v1 - kind: DaemonSet - metadata: - name: weave-net - annotations: - cloud.weave.works/launcher-info: |- - { - "original-request": { - "url": "/k8s/v1.16/net.yaml?k8s-version=Q2xpZW50IFZlcnNpb246IHZlcnNpb24uSW5mb3tNYWpvcjoiMSIsIE1pbm9yOiIxOCIsIEdpdFZlcnNpb246InYxLjE4LjAiLCBHaXRDb21taXQ6IjllOTkxNDE1Mzg2ZTRjZjE1NWEyNGIxZGExNWJlY2FhMzkwNDM4ZDgiLCBHaXRUcmVlU3RhdGU6ImNsZWFuIiwgQnVpbGREYXRlOiIyMDIwLTAzLTI2VDA2OjE2OjE1WiIsIEdvVmVyc2lvbjoiZ28xLjE0IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImRhcndpbi9hbWQ2NCJ9ClNlcnZlciBWZXJzaW9uOiB2ZXJzaW9uLkluZm97TWFqb3I6IjEiLCBNaW5vcjoiMTgiLCBHaXRWZXJzaW9uOiJ2MS4xOC4zIiwgR2l0Q29tbWl0OiIyZTc5OTZlM2UyNzEyNjg0YmM3M2YwZGVjMDIwMGQ2NGVlYzdmZTQwIiwgR2l0VHJlZVN0YXRlOiJjbGVhbiIsIEJ1aWxkRGF0ZToiMjAyMC0wNS0yMFQxMjo0MzozNFoiLCBHb1ZlcnNpb246ImdvMS4xMy45IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImxpbnV4L2FtZDY0In0K", - "date": "Tue Jun 23 2020 02:18:50 GMT+0000 (UTC)" - }, - "email-address": "support@weave.works" - } - labels: - name: weave-net - namespace: kube-system - spec: - minReadySeconds: 5 - selector: - matchLabels: - name: weave-net - template: - metadata: - labels: - name: weave-net - spec: - containers: - - name: weave - command: - - /home/weave/launch.sh - env: - - name: HOSTNAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - image: 'docker.io/weaveworks/weave-kube:2.6.5' - readinessProbe: - httpGet: - host: 127.0.0.1 - path: /status - port: 6784 - resources: - requests: - cpu: 10m - securityContext: - privileged: true - volumeMounts: - - name: weavedb - mountPath: /weavedb - - name: cni-bin - mountPath: /host/opt - - name: cni-bin2 - mountPath: /host/home - - name: cni-conf - mountPath: /host/etc - - name: dbus - mountPath: /host/var/lib/dbus - - name: lib-modules - mountPath: /lib/modules - - name: xtables-lock - mountPath: /run/xtables.lock - - name: weave-npc - env: - - name: HOSTNAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - image: 'docker.io/weaveworks/weave-npc:2.6.5' - resources: - requests: - cpu: 10m - securityContext: - privileged: true - volumeMounts: - - name: xtables-lock - mountPath: /run/xtables.lock - dnsPolicy: ClusterFirstWithHostNet - hostNetwork: true - hostPID: true - priorityClassName: system-node-critical - restartPolicy: Always - securityContext: - seLinuxOptions: {} - serviceAccountName: weave-net - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - volumes: - - name: weavedb - hostPath: - path: /var/lib/weave - - name: cni-bin - hostPath: - path: /opt - - name: cni-bin2 - hostPath: - path: /home - - name: cni-conf - hostPath: - path: /etc - - name: dbus - hostPath: - path: /var/lib/dbus - - name: lib-modules - hostPath: - path: /lib/modules - - name: xtables-lock - hostPath: - path: /run/xtables.lock - type: FileOrCreate - updateStrategy: - type: RollingUpdate From d628748116e0a82f2681c102f1597e74565a26d2 Mon Sep 17 00:00:00 2001 From: minikube-bot Date: Wed, 25 May 2022 18:15:35 +0000 Subject: [PATCH 2/3] use antrea CNI --- test/integration/net_test.go | 2 +- test/integration/testdata/antrea.yaml | 5137 +++++++++++++++++++++++++ test/integration/testdata/romana.yaml | 402 -- 3 files changed, 5138 insertions(+), 403 deletions(-) create mode 100644 test/integration/testdata/antrea.yaml delete mode 100644 test/integration/testdata/romana.yaml diff --git a/test/integration/net_test.go b/test/integration/net_test.go index 12b14267dc..93e2666b47 100644 --- a/test/integration/net_test.go +++ b/test/integration/net_test.go @@ -61,7 +61,7 @@ func TestNetworkPlugins(t *testing.T) { {"flannel", []string{"--cni=flannel"}, "cni", "app=flannel", true}, {"kindnet", []string{"--cni=kindnet"}, "cni", "app=kindnet", true}, {"false", []string{"--cni=false"}, "", "", false}, - {"custom-romana", []string{fmt.Sprintf("--cni=%s", filepath.Join(*testdataDir, "romana.yaml"))}, "cni", "", true}, + {"custom-antrea", []string{fmt.Sprintf("--cni=%s", filepath.Join(*testdataDir, "antrea.yaml"))}, "cni", "", true}, {"calico", []string{"--cni=calico"}, "cni", "k8s-app=calico-node", true}, {"cilium", []string{"--cni=cilium"}, "cni", "k8s-app=cilium", true}, } diff --git a/test/integration/testdata/antrea.yaml b/test/integration/testdata/antrea.yaml new file mode 100644 index 0000000000..beb5bab289 --- /dev/null +++ b/test/integration/testdata/antrea.yaml @@ -0,0 +1,5137 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - laai + singular: antreaagentinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreaagentinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaAgentInfo + plural: antreaagentinfos + shortNames: + - aai + singular: antreaagentinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: .agentConditions[?(@.type=='AgentHealthy')].status + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: .agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: .version + name: Version + priority: 1 + type: string + - description: Node on which this Agent is running + jsonPath: .nodeRef.name + name: Node + priority: 1 + type: string + - description: Number of local Pods managed by this Agent + jsonPath: .localPodNum + name: Num Pods + priority: 2 + type: integer + - description: Subnets used by this Agent for Pod IPAM + jsonPath: .nodeSubnets + name: Subnets + priority: 2 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com +spec: + group: clusterinformation.antrea.tanzu.vmware.com + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - laci + singular: antreacontrollerinfo + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: antreacontrollerinfos.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: AntreaControllerInfo + plural: antreacontrollerinfos + shortNames: + - aci + singular: antreacontrollerinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].status + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: .version + name: Version + priority: 1 + type: string + - description: Number of Agents connected to the Controller + jsonPath: .connectedAgentNum + name: Connected Agents + priority: 1 + type: integer + - description: Node on which the Controller is running + jsonPath: .nodeRef.name + name: Node + priority: 1 + type: string + - description: Number of Network Policies computed by Controller + jsonPath: .networkPolicyControllerInfo.networkPolicyNum + name: Num Network Policies + priority: 2 + type: integer + name: v1beta1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - lcg + singular: group + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clustergroups.crd.antrea.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: antrea + namespace: kube-system + path: /convert/clustergroup + conversionReviewVersions: + - v1 + - v1beta1 + group: crd.antrea.io + names: + kind: ClusterGroup + plural: clustergroups + shortNames: + - cg + singular: clustergroup + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: false + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + properties: + childGroups: + items: + type: string + type: array + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlocks: + items: + properties: + cidr: + format: cidr + type: string + type: object + type: array + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + serviceReference: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - acnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + fqdn: + type: string + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + enum: + - Self + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: clusternetworkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: ClusterNetworkPolicy + plural: clusternetworkpolicies + shortNames: + - lacnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this ClusterNetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + group: + type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + group: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + properties: + match: + type: string + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: egresses.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Egress + plural: egresses + shortNames: + - eg + singular: egress + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + egressIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + externalIPPool: + type: string + required: + - appliedTo + type: object + status: + properties: + egressNode: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.core.antrea.tanzu.vmware.com +spec: + group: core.antrea.tanzu.vmware.com + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - lee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalentities.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalEntity + plural: externalentities + shortNames: + - ee + singular: externalentity + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + endpoints: + items: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + name: + type: string + type: object + type: array + externalNode: + type: string + ports: + items: + properties: + name: + type: string + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + served: false + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: ExternalIPPool + plural: externalippools + shortNames: + - eip + singular: externalippool + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + type: object + type: array + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - ipRanges + - nodeSelector + type: object + status: + properties: + usage: + properties: + total: + type: integer + used: + type: integer + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: ippools.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: IPPool + plural: ippools + shortNames: + - ipp + singular: ippool + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + vlan: + type: string + type: object + type: array + ipVersion: + type: integer + required: + - ipVersion + - ipRanges + type: object + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + containerID: + type: string + name: + type: string + namespace: + type: string + type: object + statefulSet: + properties: + index: + type: integer + name: + type: string + namespace: + type: string + type: object + type: object + phase: + type: string + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - anp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + fqdn: + type: string + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + toServices: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: networkpolicies.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: NetworkPolicy + plural: networkpolicies + shortNames: + - lanp + singular: networkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + name: Tier + type: string + - description: The Priority of this Antrea NetworkPolicy relative to other policies. + format: float + jsonPath: .spec.priority + name: Priority + type: number + - description: The total number of Nodes that should realize the NetworkPolicy. + format: int32 + jsonPath: .status.desiredNodesRealized + name: Desired Nodes + type: number + - description: The number of Nodes that have realized the NetworkPolicy. + format: int32 + jsonPath: .status.currentNodesRealized + name: Current Nodes + type: number + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + egress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + to: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + required: + - action + type: object + type: array + ingress: + items: + properties: + action: + enum: + - Allow + - Drop + - Reject + - Pass + type: string + appliedTo: + items: + properties: + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + enableLogging: + type: boolean + from: + items: + properties: + externalEntitySelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + ipBlock: + properties: + cidr: + format: cidr + type: string + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + name: + type: string + ports: + items: + properties: + endPort: + type: integer + port: + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + required: + - action + type: object + type: array + priority: + format: float + maximum: 10000 + minimum: 1 + type: number + tier: + type: string + required: + - priority + type: object + status: + properties: + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + observedGeneration: + type: integer + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Tier + plural: tiers + shortNames: + - tr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: tiers.security.antrea.tanzu.vmware.com +spec: + group: security.antrea.tanzu.vmware.com + names: + kind: Tier + plural: tiers + shortNames: + - ltr + singular: tier + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + description: + type: string + priority: + maximum: 255 + minimum: 0 + type: integer + required: + - priority + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.crd.antrea.io +spec: + group: crd.antrea.io + names: + kind: Traceflow + plural: traceflows + shortNames: + - tf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - description: Trace live traffic. + jsonPath: .spec.liveTraffic + name: Live-Traffic + priority: 10 + type: boolean + - description: Capture only the dropped packet. + jsonPath: .spec.droppedOnly + name: Dropped-Only + priority: 10 + type: boolean + - description: Timeout in seconds. + jsonPath: .spec.timeout + name: Timeout + priority: 10 + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + droppedOnly: + type: boolean + liveTraffic: + type: boolean + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + type: object + timeout: + type: integer + type: object + status: + properties: + capturedPacket: + properties: + dstIP: + type: string + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + length: + type: integer + srcIP: + type: string + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + startTime: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: traceflows.ops.antrea.tanzu.vmware.com +spec: + group: ops.antrea.tanzu.vmware.com + names: + kind: Traceflow + plural: traceflows + shortNames: + - ltf + singular: traceflow + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The phase of the Traceflow. + jsonPath: .status.phase + name: Phase + type: string + - description: The name of the source Pod. + jsonPath: .spec.source.pod + name: Source-Pod + priority: 10 + type: string + - description: The name of the destination Pod. + jsonPath: .spec.destination.pod + name: Destination-Pod + priority: 10 + type: string + - description: The IP address of the destination. + jsonPath: .spec.destination.ip + name: Destination-IP + priority: 10 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + destination: + properties: + ip: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + namespace: + type: string + pod: + type: string + service: + type: string + type: object + packet: + properties: + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + srcIP: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + srcIP: + format: ipv6 + type: string + type: object + transportHeader: + properties: + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + tcp: + properties: + dstPort: + type: integer + flags: + type: integer + srcPort: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + type: object + type: object + source: + properties: + namespace: + type: string + pod: + type: string + required: + - pod + - namespace + type: object + required: + - source + type: object + status: + properties: + dataplaneTag: + type: integer + phase: + type: string + reason: + type: string + results: + items: + properties: + node: + type: string + observations: + items: + properties: + action: + type: string + component: + type: string + componentInfo: + type: string + dstMAC: + type: string + networkPolicy: + type: string + pod: + type: string + translatedDstIP: + type: string + translatedSrcIP: + type: string + ttl: + type: integer + tunnelDstIP: + type: string + type: object + type: array + role: + type: string + timestamp: + type: integer + type: object + type: array + startTime: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-agent + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea + name: antrea-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-clustergroups-edit +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-clustergroups-view +rules: +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clustergroups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-antrea-policies-edit +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-antrea-policies-view +rules: +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: aggregate-traceflows-edit +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: aggregate-traceflows-view +rules: +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + verbs: + - get + - list + - watch +- apiGroups: + - crd.antrea.io + resources: + - traceflows + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antctl +rules: +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list +- apiGroups: + - stats.antrea.tanzu.vmware.com + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post +- apiGroups: + - system.antrea.tanzu.vmware.com + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get +- nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + - /featuregates + - /serviceexternalip + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-agent +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - pods/status + verbs: + - patch +- apiGroups: + - "" + resources: + - endpoints + - services + - namespaces + verbs: + - get + - watch + - list +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create +- apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - ops.antrea.tanzu.vmware.com + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - egresses/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - ippools/status + verbs: + - update +- apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-cluster-identity-reader +rules: +- apiGroups: + - "" + resourceNames: + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea + name: antrea-controller +rules: +- apiGroups: + - "" + resources: + - pods + - services + - namespaces + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - services/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update +- apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - antrea-ca + - antrea-cluster-identity + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + resources: + - apiservices + verbs: + - get + - update +- apiGroups: + - apiregistration.k8s.io + resourceNames: + - v1beta1.networking.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + resources: + - apiservices + verbs: + - delete +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - crdmutator.antrea.tanzu.vmware.com + - crdvalidator.antrea.tanzu.vmware.com + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - update +- apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update +- apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - update + - patch +- apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list +- apiGroups: + - crd.antrea.io + resources: + - externalippools/status + - ippools/status + verbs: + - update +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete +- apiGroups: + - clusterinformation.antrea.tanzu.vmware.com + resources: + - antreaagentinfos + verbs: + - list + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update +- apiGroups: + - security.antrea.tanzu.vmware.com + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - ops.antrea.tanzu.vmware.com + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - core.antrea.tanzu.vmware.com + resources: + - clustergroups/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: +- kind: ServiceAccount + name: antctl + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antrea-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: +- kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +apiVersion: v1 +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # Enable flexible IPAM mode for Antrea. This mode allows to assign IP Ranges to Namespaces, + # Deployments and StatefulSets via IP Pool annotation. + # AntreaIPAM: false + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + #ovsBridge: br-int + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + #hostGateway: antrea-gw0 + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + #trafficEncapMode: encap + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + #noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, + # this option will not take effect. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + #tunnelType: geneve + + # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. + # It has the following options: + # - none (default): Inter-node Pod traffic will not be encrypted. + # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses + # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, + # the PSK value must be passed to Antrea Agent through an environment + # variable: ANTREA_IPSEC_PSK. + # - wireGuard: Enable WireGuard for tunnel traffic encryption. + #trafficEncryptionMode: none + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + #defaultMTU: 0 + + # wireGuard specifies WireGuard related configurations. + wireGuard: + # The port for WireGuard to receive traffic. + # port: 51820 + + egress: + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + # exceptCIDRs: [] + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + #serviceCIDR: 10.96.0.0/12 + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + #serviceCIDRv6: + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + #apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #activeFlowExportTimeout: "30s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + #idleFlowExportTimeout: "15s" + + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + # enable: false + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + # portRange: 61000-62000 + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + #kubeAPIServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + + # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. + # If there are multiple IP addresses configured on the interface, the first one is used. The IP + # address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + #transportInterface: + + # The names of the interfaces on Nodes that are used to forward multicast traffic. + # Defaults to transport interface if not set. + #multicastInterfaces: [] + + # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across + # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The + # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + #transportInterfaceCIDRs: [,] + + # Option antreaProxy contains AntreaProxy related configuration options. + antreaProxy: + # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, + # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy + # feature to be enabled. + # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access + # apiserver directly. + #proxyAll: false + # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. + # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. + # Note that the option is only valid when proxyAll is true. + #nodePortAddresses: [] + # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these + # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name + # with Namespace (e.g. kube-system/kube-dns) + #skipServices: [] + # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the + # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional + # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the + # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. + # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and + # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. + #proxyLoadBalancerIPs: true + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + }, + { + "type": "portmap", + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: false + + # Run Kubernetes NodeIPAMController with Antrea. + # NodeIPAM: false + + # Enable flexible IPAM mode for Antrea. This mode allows to assign IP Ranges to Namespaces, + # Deployments and StatefulSets via IP Pool annotation. + # AntreaIPAM: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + #apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + #enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the + # antrea-controller container. + #selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + #tlsCipherSuites: + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + #tlsMinVersion: + + # If Antrea is upgraded from version <= v0.13 and legacy CRDs are used, this option should be + # enabled, otherwise the CRDs created with the legacy API groups will not take any effect and + # work as expected. When the mirroring is enabled, if a legacy CRD is created with legacy API + # groups, mirroring-controller will create a new CRD with the Spec and Labels from the legacy + # CRD. Afterwards, the modification of Spec and Label in legacy CRD will be synchronized to new + # CRD automatically. In addition, the modification of Status in new CRD will also be synchronized + # to legacy CRD automatically. If a legacy CRD is deleted, the corresponding new CRD will be deleted. + # Note that: to decouple a new CRD from the corresponding legacy CRD, the legacy CRD should be + # annotated with "crd.antrea.io/stop-mirror". Afterwards, updates to the legacy CRDs will no + # longer be reflected in the new CRD, and all CRUD operations should be done through the new + # API groups. After adding the annotation, legacy CRDs can be deleted safely without impacting + # new CRDs. + #legacyCRDMirroring: true + + nodeIPAM: + # Enable the integrated Node IPAM controller within the Antrea controller. + # enableNodeIPAM: false + + # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. + # Value ignored when enableNodeIPAM is false. + # clusterCIDRs: [] + + # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + # serviceCIDR: + # serviceCIDRv6: + + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + # nodeCIDRMaskSizeIPv4: 24 + + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + # nodeCIDRMaskSizeIPv6: 64 +kind: ConfigMap +metadata: + annotations: {} + labels: + app: antrea + name: antrea-config-2k82d6f6t4 + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: antrea + name: antrea + namespace: kube-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: api + selector: + app: antrea + component: antrea-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: antrea + component: antrea-controller + name: antrea-controller + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: antrea + component: antrea-controller + strategy: + type: Recreate + template: + metadata: + labels: + app: antrea + component: antrea-controller + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-controller.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ANTREA_CONFIG_MAP_NAME + value: antrea-config-2k82d6f6t4 + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.5.3 + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-controller + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + volumeMounts: + - mountPath: /etc/antrea/antrea-controller.conf + name: antrea-config + readOnly: true + subPath: antrea-controller.conf + - mountPath: /var/run/antrea/antrea-controller-tls + name: antrea-controller-tls + - mountPath: /var/log/antrea + name: host-var-log-antrea + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: antrea-controller + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + volumes: + - configMap: + name: antrea-config-2k82d6f6t4 + name: antrea-config + - name: antrea-controller-tls + secret: + defaultMode: 256 + optional: true + secretName: antrea-controller-tls + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.io +spec: + group: stats.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1alpha1.stats.antrea.tanzu.vmware.com +spec: + group: stats.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.io +spec: + group: system.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta1.system.antrea.tanzu.vmware.com +spec: + group: system.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.io +spec: + group: controlplane.antrea.io + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app: antrea + name: v1beta2.controlplane.antrea.tanzu.vmware.com +spec: + group: controlplane.antrea.tanzu.vmware.com + groupPriorityMinimum: 100 + service: + name: antrea + namespace: kube-system + version: v1beta2 + versionPriority: 100 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: antrea + component: antrea-agent + name: antrea-agent + namespace: kube-system +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: antrea-agent + labels: + app: antrea + component: antrea-agent + spec: + containers: + - args: + - --config + - /etc/antrea/antrea-agent.conf + - --logtostderr=false + - --log_dir=/var/log/antrea + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + - --v=0 + command: + - antrea-agent + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.5.3 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + name: antrea-agent + ports: + - containerPort: 10350 + name: api + protocol: TCP + readinessProbe: + failureThreshold: 8 + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + requests: + cpu: 200m + securityContext: + privileged: true + volumeMounts: + - mountPath: /etc/antrea/antrea-agent.conf + name: antrea-config + readOnly: true + subPath: antrea-agent.conf + - mountPath: /var/run/antrea + name: host-var-run-antrea + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/lib/cni + name: host-var-run-antrea + subPath: cni + - mountPath: /var/log/antrea + name: host-var-log-antrea + - mountPath: /host/proc + name: host-proc + readOnly: true + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: host-var-run-netns + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - args: + - --log_file_max_size=100 + - --log_file_max_num=4 + command: + - start_ovs + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.5.3 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + name: antrea-ovs + resources: + requests: + cpu: 200m + securityContext: + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-var-run-antrea + subPath: openvswitch + - mountPath: /var/log/openvswitch + name: host-var-log-antrea + subPath: openvswitch + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + initContainers: + - command: + - install_cni + image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.5.3 + name: install-cni + resources: + requests: + cpu: 100m + securityContext: + capabilities: + add: + - SYS_MODULE + volumeMounts: + - mountPath: /etc/antrea/antrea-cni.conflist + name: antrea-config + readOnly: true + subPath: antrea-cni.conflist + - mountPath: /host/etc/cni/net.d + name: host-cni-conf + - mountPath: /host/opt/cni/bin + name: host-cni-bin + - mountPath: /lib/modules + name: host-lib-modules + readOnly: true + - mountPath: /var/run/antrea + name: host-var-run-antrea + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + serviceAccountName: antrea-agent + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - configMap: + name: antrea-config-2k82d6f6t4 + name: antrea-config + - hostPath: + path: /etc/cni/net.d + name: host-cni-conf + - hostPath: + path: /opt/cni/bin + name: host-cni-bin + - hostPath: + path: /proc + name: host-proc + - hostPath: + path: /var/run/netns + name: host-var-run-netns + - hostPath: + path: /var/run/antrea + type: DirectoryOrCreate + name: host-var-run-antrea + - hostPath: + path: /var/log/antrea + type: DirectoryOrCreate + name: host-var-log-antrea + - hostPath: + path: /lib/modules + name: host-lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + updateStrategy: + type: RollingUpdate +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdmutator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/acnp + name: acnpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /mutate/anp + name: anpmutator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha3 + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/externalippool + name: externalippoolvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - UPDATE + resources: + - externalippools + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/egress + name: egressvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - egresses + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/ippool + name: ippoolvalidator.antrea.io + rules: + - apiGroups: + - crd.antrea.io + apiVersions: + - v1alpha2 + operations: + - UPDATE + - DELETE + resources: + - ippools + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: antrea + name: crdvalidator.antrea.tanzu.vmware.com +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/tier + name: tiervalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tiers + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/acnp + name: acnpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusternetworkpolicies + scope: Cluster + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/anp + name: anpvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - security.antrea.tanzu.vmware.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - networkpolicies + scope: Namespaced + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: antrea + namespace: kube-system + path: /validate/clustergroup + name: clustergroupvalidator.antrea.tanzu.vmware.com + rules: + - apiGroups: + - core.antrea.tanzu.vmware.com + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clustergroups + scope: Cluster + sideEffects: None + timeoutSeconds: 5 diff --git a/test/integration/testdata/romana.yaml b/test/integration/testdata/romana.yaml deleted file mode 100644 index f28c54a00f..0000000000 --- a/test/integration/testdata/romana.yaml +++ /dev/null @@ -1,402 +0,0 @@ -apiVersion: v1 -items: -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - creationTimestamp: null - name: romana-listener - rules: - - apiGroups: - - '*' - resources: - - pods - - namespaces - - nodes - - endpoints - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - networkpolicies - verbs: - - get - - list - - watch - - apiGroups: - - '*' - resources: - - services - verbs: - - update - - list - - watch -- apiVersion: v1 - kind: ServiceAccount - metadata: - creationTimestamp: null - name: romana-listener - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - creationTimestamp: null - name: romana-listener - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: romana-listener - subjects: - - kind: ServiceAccount - name: romana-listener - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - creationTimestamp: null - name: romana-agent - rules: - - apiGroups: - - '*' - resources: - - pods - - nodes - verbs: - - get -- apiVersion: v1 - kind: ServiceAccount - metadata: - creationTimestamp: null - name: romana-agent - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - creationTimestamp: null - name: romana-agent - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: romana-agent - subjects: - - kind: ServiceAccount - name: romana-agent - namespace: kube-system -- apiVersion: v1 - kind: Service - metadata: - creationTimestamp: null - name: romana-etcd - namespace: kube-system - spec: - clusterIP: 10.96.0.88 - internalTrafficPolicy: Cluster - ports: - - name: etcd - port: 12379 - protocol: TCP - targetPort: 12379 - selector: - romana-app: etcd - sessionAffinity: None - type: ClusterIP - status: - loadBalancer: {} -- apiVersion: apps/v1 - kind: Deployment - metadata: - creationTimestamp: null - labels: - romana-app: etcd - name: romana-etcd - namespace: kube-system - spec: - progressDeadlineSeconds: 2147483647 - replicas: 1 - revisionHistoryLimit: 2147483647 - selector: - matchLabels: - romana-app: etcd - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - creationTimestamp: null - labels: - romana-app: etcd - spec: - containers: - - command: - - etcd - - --listen-client-urls=http://0.0.0.0:12379 - - --listen-peer-urls=http://127.0.0.1:12380 - - --advertise-client-urls=http://10.96.0.88:12379 - - --data-dir=/var/etcd/data - image: gcr.io/google_containers/etcd-amd64:3.0.17 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 3 - httpGet: - host: 127.0.0.1 - path: /health - port: 12379 - scheme: HTTP - initialDelaySeconds: 15 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 15 - name: romana-etcd - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/etcd/data - name: etcd-data - dnsPolicy: ClusterFirst - hostNetwork: true - nodeSelector: - node-role.kubernetes.io/master: "" - restartPolicy: Always - schedulerName: default-scheduler - securityContext: - seLinuxOptions: - type: spc_t - terminationGracePeriodSeconds: 30 - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - - effect: NoSchedule - key: node.kubernetes.io/not-ready - volumes: - - hostPath: - path: /var/lib/romana/etcd-db - type: "" - name: etcd-data - status: {} -- apiVersion: v1 - kind: Service - metadata: - creationTimestamp: null - name: romana - namespace: kube-system - spec: - clusterIP: 10.96.0.99 - internalTrafficPolicy: Cluster - ports: - - name: daemon - port: 9600 - protocol: TCP - targetPort: 9600 - selector: - romana-app: daemon - sessionAffinity: None - type: ClusterIP - status: - loadBalancer: {} -- apiVersion: apps/v1 - kind: Deployment - metadata: - creationTimestamp: null - labels: - romana-app: daemon - name: romana-daemon - namespace: kube-system - spec: - progressDeadlineSeconds: 2147483647 - replicas: 1 - revisionHistoryLimit: 2147483647 - selector: - matchLabels: - romana-app: daemon - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - creationTimestamp: null - labels: - romana-app: daemon - spec: - containers: - - image: quay.io/romana/daemon:v2.0.2 - imagePullPolicy: Always - name: romana-daemon - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - dnsPolicy: ClusterFirst - hostNetwork: true - nodeSelector: - node-role.kubernetes.io/master: "" - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - - effect: NoSchedule - key: node.kubernetes.io/not-ready - status: {} -- apiVersion: apps/v1 - kind: Deployment - metadata: - creationTimestamp: null - labels: - romana-app: listener - name: romana-listener - namespace: kube-system - spec: - progressDeadlineSeconds: 2147483647 - replicas: 1 - revisionHistoryLimit: 2147483647 - selector: - matchLabels: - romana-app: listener - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - creationTimestamp: null - labels: - romana-app: listener - spec: - containers: - - image: quay.io/romana/listener:v2.0.2 - imagePullPolicy: Always - name: romana-listener - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - dnsPolicy: ClusterFirst - hostNetwork: true - nodeSelector: - node-role.kubernetes.io/master: "" - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - serviceAccount: romana-listener - serviceAccountName: romana-listener - terminationGracePeriodSeconds: 30 - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - - effect: NoSchedule - key: node.kubernetes.io/not-ready - status: {} -- apiVersion: apps/v1 - kind: DaemonSet - metadata: - annotations: - deprecated.daemonset.template.generation: "0" - creationTimestamp: null - labels: - romana-app: agent - name: romana-agent - namespace: kube-system - spec: - revisionHistoryLimit: 10 - selector: - matchLabels: - romana-app: agent - template: - metadata: - creationTimestamp: null - labels: - romana-app: agent - spec: - containers: - - env: - - name: NODENAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: NODEIP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - image: quay.io/romana/agent:v2.0.2 - imagePullPolicy: Always - name: romana-agent - resources: {} - securityContext: - privileged: true - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /host/usr/local/bin - name: host-usr-local-bin - - mountPath: /host/etc/romana - name: host-etc-romana - - mountPath: /host/opt/cni/bin - name: host-cni-bin - - mountPath: /host/etc/cni/net.d - name: host-cni-net-d - - mountPath: /var/run/romana - name: run-path - - mountPath: /host/etc/rlog - name: host-etc-rlog - dnsPolicy: ClusterFirst - hostNetwork: true - restartPolicy: Always - schedulerName: default-scheduler - securityContext: - seLinuxOptions: - type: spc_t - serviceAccount: romana-agent - serviceAccountName: romana-agent - terminationGracePeriodSeconds: 30 - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - - effect: NoSchedule - key: node.kubernetes.io/not-ready - volumes: - - hostPath: - path: /usr/local/bin - type: "" - name: host-usr-local-bin - - hostPath: - path: /etc/romana - type: "" - name: host-etc-romana - - hostPath: - path: /opt/cni/bin - type: "" - name: host-cni-bin - - hostPath: - path: /etc/cni/net.d - type: "" - name: host-cni-net-d - - hostPath: - path: /var/run/romana - type: "" - name: run-path - - hostPath: - path: /etc/rlog - type: "" - name: host-etc-rlog - updateStrategy: - rollingUpdate: - maxSurge: 0 - maxUnavailable: 1 - type: RollingUpdate - status: - currentNumberScheduled: 0 - desiredNumberScheduled: 0 - numberMisscheduled: 0 - numberReady: 0 -kind: List -metadata: {} From bc968683e6d51b655207e05843ee5244295024ae Mon Sep 17 00:00:00 2001 From: Steven Powell Date: Wed, 25 May 2022 14:54:45 -0700 Subject: [PATCH 3/3] use custom flannel --- test/integration/net_test.go | 2 +- test/integration/testdata/antrea.yaml | 5137 ------------------- test/integration/testdata/kube-flannel.yaml | 248 + 3 files changed, 249 insertions(+), 5138 deletions(-) delete mode 100644 test/integration/testdata/antrea.yaml create mode 100644 test/integration/testdata/kube-flannel.yaml diff --git a/test/integration/net_test.go b/test/integration/net_test.go index 93e2666b47..4556172302 100644 --- a/test/integration/net_test.go +++ b/test/integration/net_test.go @@ -61,7 +61,7 @@ func TestNetworkPlugins(t *testing.T) { {"flannel", []string{"--cni=flannel"}, "cni", "app=flannel", true}, {"kindnet", []string{"--cni=kindnet"}, "cni", "app=kindnet", true}, {"false", []string{"--cni=false"}, "", "", false}, - {"custom-antrea", []string{fmt.Sprintf("--cni=%s", filepath.Join(*testdataDir, "antrea.yaml"))}, "cni", "", true}, + {"custom-flannel", []string{fmt.Sprintf("--cni=%s", filepath.Join(*testdataDir, "kube-flannel.yaml"))}, "cni", "", true}, {"calico", []string{"--cni=calico"}, "cni", "k8s-app=calico-node", true}, {"cilium", []string{"--cni=cilium"}, "cni", "k8s-app=cilium", true}, } diff --git a/test/integration/testdata/antrea.yaml b/test/integration/testdata/antrea.yaml deleted file mode 100644 index beb5bab289..0000000000 --- a/test/integration/testdata/antrea.yaml +++ /dev/null @@ -1,5137 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com -spec: - group: clusterinformation.antrea.tanzu.vmware.com - names: - kind: AntreaAgentInfo - plural: antreaagentinfos - shortNames: - - laai - singular: antreaagentinfo - scope: Cluster - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: antreaagentinfos.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: AntreaAgentInfo - plural: antreaagentinfos - shortNames: - - aai - singular: antreaagentinfo - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Health status of this Agent - jsonPath: .agentConditions[?(@.type=='AgentHealthy')].status - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: .agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime - name: Last Heartbeat - type: date - - description: Version of this Agent - jsonPath: .version - name: Version - priority: 1 - type: string - - description: Node on which this Agent is running - jsonPath: .nodeRef.name - name: Node - priority: 1 - type: string - - description: Number of local Pods managed by this Agent - jsonPath: .localPodNum - name: Num Pods - priority: 2 - type: integer - - description: Subnets used by this Agent for Pod IPAM - jsonPath: .nodeSubnets - name: Subnets - priority: 2 - type: string - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com -spec: - group: clusterinformation.antrea.tanzu.vmware.com - names: - kind: AntreaControllerInfo - plural: antreacontrollerinfos - shortNames: - - laci - singular: antreacontrollerinfo - scope: Cluster - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: antreacontrollerinfos.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: AntreaControllerInfo - plural: antreacontrollerinfos - shortNames: - - aci - singular: antreacontrollerinfo - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Health status of the Controller - jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].status - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime - name: Last Heartbeat - type: date - - description: Version of the Controller - jsonPath: .version - name: Version - priority: 1 - type: string - - description: Number of Agents connected to the Controller - jsonPath: .connectedAgentNum - name: Connected Agents - priority: 1 - type: integer - - description: Node on which the Controller is running - jsonPath: .nodeRef.name - name: Node - priority: 1 - type: string - - description: Number of Network Policies computed by Controller - jsonPath: .networkPolicyControllerInfo.networkPolicyNum - name: Num Network Policies - priority: 2 - type: integer - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: clustergroups.core.antrea.tanzu.vmware.com -spec: - group: core.antrea.tanzu.vmware.com - names: - kind: ClusterGroup - plural: clustergroups - shortNames: - - lcg - singular: group - scope: Cluster - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - childGroups: - items: - type: string - type: array - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - ipBlocks: - items: - properties: - cidr: - format: cidr - type: string - type: object - type: array - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceReference: - properties: - name: - type: string - namespace: - type: string - type: object - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - type: string - status: - type: string - type: - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: clustergroups.crd.antrea.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: antrea - namespace: kube-system - path: /convert/clustergroup - conversionReviewVersions: - - v1 - - v1beta1 - group: crd.antrea.io - names: - kind: ClusterGroup - plural: clustergroups - shortNames: - - cg - singular: clustergroup - scope: Cluster - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - childGroups: - items: - type: string - type: array - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - ipBlocks: - items: - properties: - cidr: - format: cidr - type: string - type: object - type: array - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceReference: - properties: - name: - type: string - namespace: - type: string - type: object - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - type: string - status: - type: string - type: - type: string - type: object - type: array - type: object - type: object - served: true - storage: false - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - properties: - childGroups: - items: - type: string - type: array - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlocks: - items: - properties: - cidr: - format: cidr - type: string - type: object - type: array - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceReference: - properties: - name: - type: string - namespace: - type: string - type: object - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - type: string - status: - type: string - type: - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: clusternetworkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ClusterNetworkPolicy - plural: clusternetworkpolicies - shortNames: - - acnp - singular: clusternetworkpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The Tier to which this ClusterNetworkPolicy belongs to. - jsonPath: .spec.tier - name: Tier - type: string - - description: The Priority of this ClusterNetworkPolicy relative to other policies. - format: float - jsonPath: .spec.priority - name: Priority - type: number - - description: The total number of Nodes that should realize the NetworkPolicy. - format: int32 - jsonPath: .status.desiredNodesRealized - name: Desired Nodes - type: number - - description: The number of Nodes that have realized the NetworkPolicy. - format: int32 - jsonPath: .status.currentNodesRealized - name: Current Nodes - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - egress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - to: - items: - properties: - fqdn: - type: string - group: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - properties: - match: - type: string - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - toServices: - items: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: array - required: - - action - type: object - type: array - ingress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - from: - items: - properties: - group: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - properties: - match: - enum: - - Self - type: string - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - required: - - action - type: object - type: array - priority: - format: float - maximum: 10000 - minimum: 1 - type: number - tier: - type: string - required: - - priority - type: object - status: - properties: - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - observedGeneration: - type: integer - phase: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: clusternetworkpolicies.security.antrea.tanzu.vmware.com -spec: - group: security.antrea.tanzu.vmware.com - names: - kind: ClusterNetworkPolicy - plural: clusternetworkpolicies - shortNames: - - lacnp - singular: clusternetworkpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The Tier to which this ClusterNetworkPolicy belongs to. - jsonPath: .spec.tier - name: Tier - type: string - - description: The Priority of this ClusterNetworkPolicy relative to other policies. - format: float - jsonPath: .spec.priority - name: Priority - type: number - - description: The total number of Nodes that should realize the NetworkPolicy. - format: int32 - jsonPath: .status.desiredNodesRealized - name: Desired Nodes - type: number - - description: The number of Nodes that have realized the NetworkPolicy. - format: int32 - jsonPath: .status.currentNodesRealized - name: Current Nodes - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - egress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - to: - items: - properties: - group: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - properties: - match: - type: string - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - required: - - action - type: object - type: array - ingress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - from: - items: - properties: - group: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - properties: - match: - type: string - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - required: - - action - type: object - type: array - priority: - format: float - maximum: 10000 - minimum: 1 - type: number - tier: - type: string - required: - - priority - type: object - status: - properties: - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - observedGeneration: - type: integer - phase: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: egresses.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Egress - plural: egresses - shortNames: - - eg - singular: egress - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Specifies the SNAT IP address for the selected workloads. - jsonPath: .spec.egressIP - name: EgressIP - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - anyOf: - - required: - - egressIP - - required: - - externalIPPool - properties: - appliedTo: - properties: - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - egressIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - externalIPPool: - type: string - required: - - appliedTo - type: object - status: - properties: - egressNode: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalentities.core.antrea.tanzu.vmware.com -spec: - group: core.antrea.tanzu.vmware.com - names: - kind: ExternalEntity - plural: externalentities - shortNames: - - lee - singular: externalentity - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - endpoints: - items: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - name: - type: string - type: object - type: array - externalNode: - type: string - ports: - items: - properties: - name: - type: string - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - served: false - storage: false ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalentities.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalEntity - plural: externalentities - shortNames: - - ee - singular: externalentity - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - endpoints: - items: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - name: - type: string - type: object - type: array - externalNode: - type: string - ports: - items: - properties: - name: - type: string - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - served: false - storage: false ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalippools.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalIPPool - plural: externalippools - shortNames: - - eip - singular: externalippool - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - ipRanges: - items: - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - type: object - type: array - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - required: - - ipRanges - - nodeSelector - type: object - status: - properties: - usage: - properties: - total: - type: integer - used: - type: integer - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: ippools.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: IPPool - plural: ippools - shortNames: - - ipp - singular: ippool - scope: Cluster - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - ipRanges: - items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength - properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - vlan: - type: string - type: object - type: array - ipVersion: - type: integer - required: - - ipVersion - - ipRanges - type: object - status: - properties: - ipAddresses: - items: - properties: - ipAddress: - type: string - owner: - properties: - pod: - properties: - containerID: - type: string - name: - type: string - namespace: - type: string - type: object - statefulSet: - properties: - index: - type: integer - name: - type: string - namespace: - type: string - type: object - type: object - phase: - type: string - type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: networkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: NetworkPolicy - plural: networkpolicies - shortNames: - - anp - singular: networkpolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The Tier to which this Antrea NetworkPolicy belongs to. - jsonPath: .spec.tier - name: Tier - type: string - - description: The Priority of this Antrea NetworkPolicy relative to other policies. - format: float - jsonPath: .spec.priority - name: Priority - type: number - - description: The total number of Nodes that should realize the NetworkPolicy. - format: int32 - jsonPath: .status.desiredNodesRealized - name: Desired Nodes - type: number - - description: The number of Nodes that have realized the NetworkPolicy. - format: int32 - jsonPath: .status.currentNodesRealized - name: Current Nodes - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - egress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - to: - items: - properties: - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - fqdn: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - toServices: - items: - properties: - name: - type: string - namespace: - type: string - required: - - name - type: object - type: array - required: - - action - type: object - type: array - ingress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - from: - items: - properties: - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - required: - - action - type: object - type: array - priority: - format: float - maximum: 10000 - minimum: 1 - type: number - tier: - type: string - required: - - priority - type: object - status: - properties: - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - observedGeneration: - type: integer - phase: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: networkpolicies.security.antrea.tanzu.vmware.com -spec: - group: security.antrea.tanzu.vmware.com - names: - kind: NetworkPolicy - plural: networkpolicies - shortNames: - - lanp - singular: networkpolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The Tier to which this Antrea NetworkPolicy belongs to. - jsonPath: .spec.tier - name: Tier - type: string - - description: The Priority of this Antrea NetworkPolicy relative to other policies. - format: float - jsonPath: .spec.priority - name: Priority - type: number - - description: The total number of Nodes that should realize the NetworkPolicy. - format: int32 - jsonPath: .status.desiredNodesRealized - name: Desired Nodes - type: number - - description: The number of Nodes that have realized the NetworkPolicy. - format: int32 - jsonPath: .status.currentNodesRealized - name: Current Nodes - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - egress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - to: - items: - properties: - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - required: - - action - type: object - type: array - ingress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - from: - items: - properties: - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - required: - - action - type: object - type: array - priority: - format: float - maximum: 10000 - minimum: 1 - type: number - tier: - type: string - required: - - priority - type: object - status: - properties: - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - observedGeneration: - type: integer - phase: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: tiers.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Tier - plural: tiers - shortNames: - - tr - singular: tier - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The Priority of this Tier relative to other Tiers. - jsonPath: .spec.priority - name: Priority - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - description: - type: string - priority: - maximum: 255 - minimum: 0 - type: integer - required: - - priority - type: object - type: object - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: tiers.security.antrea.tanzu.vmware.com -spec: - group: security.antrea.tanzu.vmware.com - names: - kind: Tier - plural: tiers - shortNames: - - ltr - singular: tier - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The Priority of this Tier relative to other Tiers. - jsonPath: .spec.priority - name: Priority - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - description: - type: string - priority: - maximum: 255 - minimum: 0 - type: integer - required: - - priority - type: object - type: object - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: traceflows.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Traceflow - plural: traceflows - shortNames: - - tf - singular: traceflow - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The phase of the Traceflow. - jsonPath: .status.phase - name: Phase - type: string - - description: The name of the source Pod. - jsonPath: .spec.source.pod - name: Source-Pod - priority: 10 - type: string - - description: The name of the destination Pod. - jsonPath: .spec.destination.pod - name: Destination-Pod - priority: 10 - type: string - - description: The IP address of the destination. - jsonPath: .spec.destination.ip - name: Destination-IP - priority: 10 - type: string - - description: Trace live traffic. - jsonPath: .spec.liveTraffic - name: Live-Traffic - priority: 10 - type: boolean - - description: Capture only the dropped packet. - jsonPath: .spec.droppedOnly - name: Dropped-Only - priority: 10 - type: boolean - - description: Timeout in seconds. - jsonPath: .spec.timeout - name: Timeout - priority: 10 - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - destination: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - namespace: - type: string - pod: - type: string - service: - type: string - type: object - droppedOnly: - type: boolean - liveTraffic: - type: boolean - packet: - properties: - ipHeader: - properties: - flags: - type: integer - protocol: - type: integer - srcIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - ttl: - type: integer - type: object - ipv6Header: - properties: - hopLimit: - type: integer - nextHeader: - type: integer - srcIP: - format: ipv6 - type: string - type: object - transportHeader: - properties: - icmp: - properties: - id: - type: integer - sequence: - type: integer - type: object - tcp: - properties: - dstPort: - type: integer - flags: - type: integer - srcPort: - type: integer - type: object - udp: - properties: - dstPort: - type: integer - srcPort: - type: integer - type: object - type: object - type: object - source: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - namespace: - type: string - pod: - type: string - type: object - timeout: - type: integer - type: object - status: - properties: - capturedPacket: - properties: - dstIP: - type: string - ipHeader: - properties: - flags: - type: integer - protocol: - type: integer - ttl: - type: integer - type: object - ipv6Header: - properties: - hopLimit: - type: integer - nextHeader: - type: integer - type: object - length: - type: integer - srcIP: - type: string - transportHeader: - properties: - icmp: - properties: - id: - type: integer - sequence: - type: integer - type: object - tcp: - properties: - dstPort: - type: integer - flags: - type: integer - srcPort: - type: integer - type: object - udp: - properties: - dstPort: - type: integer - srcPort: - type: integer - type: object - type: object - type: object - dataplaneTag: - type: integer - phase: - type: string - reason: - type: string - results: - items: - properties: - node: - type: string - observations: - items: - properties: - action: - type: string - component: - type: string - componentInfo: - type: string - dstMAC: - type: string - networkPolicy: - type: string - pod: - type: string - translatedDstIP: - type: string - translatedSrcIP: - type: string - ttl: - type: integer - tunnelDstIP: - type: string - type: object - type: array - role: - type: string - timestamp: - type: integer - type: object - type: array - startTime: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: traceflows.ops.antrea.tanzu.vmware.com -spec: - group: ops.antrea.tanzu.vmware.com - names: - kind: Traceflow - plural: traceflows - shortNames: - - ltf - singular: traceflow - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The phase of the Traceflow. - jsonPath: .status.phase - name: Phase - type: string - - description: The name of the source Pod. - jsonPath: .spec.source.pod - name: Source-Pod - priority: 10 - type: string - - description: The name of the destination Pod. - jsonPath: .spec.destination.pod - name: Destination-Pod - priority: 10 - type: string - - description: The IP address of the destination. - jsonPath: .spec.destination.ip - name: Destination-IP - priority: 10 - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - destination: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - namespace: - type: string - pod: - type: string - service: - type: string - type: object - packet: - properties: - ipHeader: - properties: - flags: - type: integer - protocol: - type: integer - srcIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - ttl: - type: integer - type: object - ipv6Header: - properties: - hopLimit: - type: integer - nextHeader: - type: integer - srcIP: - format: ipv6 - type: string - type: object - transportHeader: - properties: - icmp: - properties: - id: - type: integer - sequence: - type: integer - type: object - tcp: - properties: - dstPort: - type: integer - flags: - type: integer - srcPort: - type: integer - type: object - udp: - properties: - dstPort: - type: integer - srcPort: - type: integer - type: object - type: object - type: object - source: - properties: - namespace: - type: string - pod: - type: string - required: - - pod - - namespace - type: object - required: - - source - type: object - status: - properties: - dataplaneTag: - type: integer - phase: - type: string - reason: - type: string - results: - items: - properties: - node: - type: string - observations: - items: - properties: - action: - type: string - component: - type: string - componentInfo: - type: string - dstMAC: - type: string - networkPolicy: - type: string - pod: - type: string - translatedDstIP: - type: string - translatedSrcIP: - type: string - ttl: - type: integer - tunnelDstIP: - type: string - type: object - type: array - role: - type: string - timestamp: - type: integer - type: object - type: array - startTime: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antctl - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antrea-agent - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antrea-controller - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-antrea-clustergroups-edit -rules: -- apiGroups: - - core.antrea.tanzu.vmware.com - resources: - - clustergroups - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - crd.antrea.io - resources: - - clustergroups - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-antrea-clustergroups-view -rules: -- apiGroups: - - core.antrea.tanzu.vmware.com - resources: - - clustergroups - verbs: - - get - - list - - watch -- apiGroups: - - crd.antrea.io - resources: - - clustergroups - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-antrea-policies-edit -rules: -- apiGroups: - - security.antrea.tanzu.vmware.com - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-antrea-policies-view -rules: -- apiGroups: - - security.antrea.tanzu.vmware.com - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - list - - watch -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-traceflows-edit -rules: -- apiGroups: - - ops.antrea.tanzu.vmware.com - resources: - - traceflows - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - crd.antrea.io - resources: - - traceflows - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-traceflows-view -rules: -- apiGroups: - - ops.antrea.tanzu.vmware.com - resources: - - traceflows - verbs: - - get - - list - - watch -- apiGroups: - - crd.antrea.io - resources: - - traceflows - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antctl -rules: -- apiGroups: - - controlplane.antrea.tanzu.vmware.com - - controlplane.antrea.io - resources: - - networkpolicies - - appliedtogroups - - addressgroups - verbs: - - get - - list -- apiGroups: - - stats.antrea.tanzu.vmware.com - - stats.antrea.io - resources: - - networkpolicystats - - antreaclusternetworkpolicystats - - antreanetworkpolicystats - verbs: - - get - - list -- apiGroups: - - system.antrea.tanzu.vmware.com - - system.antrea.io - resources: - - controllerinfos - - agentinfos - verbs: - - get -- apiGroups: - - system.antrea.tanzu.vmware.com - - system.antrea.io - resources: - - supportbundles - verbs: - - get - - post -- apiGroups: - - system.antrea.tanzu.vmware.com - - system.antrea.io - resources: - - supportbundles/download - verbs: - - get -- nonResourceURLs: - - /agentinfo - - /addressgroups - - /appliedtogroups - - /loglevel - - /networkpolicies - - /ovsflows - - /ovstracing - - /podinterfaces - - /featuregates - - /serviceexternalip - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-agent -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - pods/status - verbs: - - patch -- apiGroups: - - "" - resources: - - endpoints - - services - - namespaces - verbs: - - get - - watch - - list -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - watch - - list -- apiGroups: - - clusterinformation.antrea.tanzu.vmware.com - - crd.antrea.io - resources: - - antreaagentinfos - verbs: - - get - - create - - update - - delete -- apiGroups: - - controlplane.antrea.tanzu.vmware.com - - controlplane.antrea.io - resources: - - networkpolicies - - appliedtogroups - - addressgroups - verbs: - - get - - watch - - list -- apiGroups: - - controlplane.antrea.io - resources: - - egressgroups - verbs: - - get - - watch - - list -- apiGroups: - - controlplane.antrea.tanzu.vmware.com - - controlplane.antrea.io - resources: - - nodestatssummaries - verbs: - - create -- apiGroups: - - controlplane.antrea.tanzu.vmware.com - - controlplane.antrea.io - resources: - - networkpolicies/status - verbs: - - create - - get -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - "" - resourceNames: - - extension-apiserver-authentication - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - antrea-ca - resources: - - configmaps - verbs: - - get - - watch - - list -- apiGroups: - - ops.antrea.tanzu.vmware.com - - crd.antrea.io - resources: - - traceflows - - traceflows/status - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - egresses - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - egresses/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - externalippools - - ippools - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - ippools/status - verbs: - - update -- apiGroups: - - k8s.cni.cncf.io - resources: - - network-attachment-definitions - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-cluster-identity-reader -rules: -- apiGroups: - - "" - resourceNames: - - antrea-cluster-identity - resources: - - configmaps - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-controller -rules: -- apiGroups: - - "" - resources: - - pods - - services - - namespaces - - configmaps - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - watch - - list - - patch -- apiGroups: - - "" - resources: - - services/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - watch - - list -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - update -- apiGroups: - - "" - resourceNames: - - extension-apiserver-authentication - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - antrea-ca - - antrea-cluster-identity - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create -- apiGroups: - - apiregistration.k8s.io - resourceNames: - - v1alpha1.stats.antrea.tanzu.vmware.com - - v1beta1.system.antrea.tanzu.vmware.com - - v1beta2.controlplane.antrea.tanzu.vmware.com - - v1alpha1.stats.antrea.io - - v1beta1.system.antrea.io - - v1beta2.controlplane.antrea.io - resources: - - apiservices - verbs: - - get - - update -- apiGroups: - - apiregistration.k8s.io - resourceNames: - - v1beta1.networking.antrea.tanzu.vmware.com - - v1beta1.controlplane.antrea.tanzu.vmware.com - resources: - - apiservices - verbs: - - delete -- apiGroups: - - admissionregistration.k8s.io - resourceNames: - - crdmutator.antrea.tanzu.vmware.com - - crdvalidator.antrea.tanzu.vmware.com - - labelsmutator.antrea.io - - crdmutator.antrea.io - - crdvalidator.antrea.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - get - - update -- apiGroups: - - crd.antrea.io - resources: - - antreacontrollerinfos - verbs: - - get - - create - - update - - delete -- apiGroups: - - crd.antrea.io - resources: - - antreaagentinfos - verbs: - - list - - delete -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies/status - - networkpolicies/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - tiers - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - traceflows - - traceflows/status - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - externalentities - - clustergroups - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - clustergroups/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - egresses - verbs: - - get - - watch - - list - - update - - patch -- apiGroups: - - crd.antrea.io - resources: - - externalippools - - ippools - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - externalippools/status - - ippools/status - verbs: - - update -- apiGroups: - - apps - resources: - - statefulsets - verbs: - - get - - list - - watch -- apiGroups: - - clusterinformation.antrea.tanzu.vmware.com - resources: - - antreacontrollerinfos - verbs: - - get - - create - - update - - delete -- apiGroups: - - clusterinformation.antrea.tanzu.vmware.com - resources: - - antreaagentinfos - verbs: - - list - - delete -- apiGroups: - - security.antrea.tanzu.vmware.com - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - security.antrea.tanzu.vmware.com - resources: - - clusternetworkpolicies/status - - networkpolicies/status - verbs: - - update -- apiGroups: - - security.antrea.tanzu.vmware.com - resources: - - tiers - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - ops.antrea.tanzu.vmware.com - resources: - - traceflows - - traceflows/status - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - core.antrea.tanzu.vmware.com - resources: - - externalentities - - clustergroups - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - core.antrea.tanzu.vmware.com - resources: - - clustergroups/status - verbs: - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antctl - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antctl -subjects: -- kind: ServiceAccount - name: antctl - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antrea-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antrea-agent -subjects: -- kind: ServiceAccount - name: antrea-agent - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antrea-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antrea-controller -subjects: -- kind: ServiceAccount - name: antrea-controller - namespace: kube-system ---- -apiVersion: v1 -data: - antrea-agent.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. - # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on - # Service traffic. - # AntreaProxy: true - - # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice - # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, - # this flag will not take effect. - # EndpointSlice: false - - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable NodePortLocal feature to make the Pods reachable externally through NodePort - # NodePortLocal: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each - # agent to a configured collector. - # FlowExporter: false - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: false - - # Enable flexible IPAM mode for Antrea. This mode allows to assign IP Ranges to Namespaces, - # Deployments and StatefulSets via IP Pool annotation. - # AntreaIPAM: false - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Name of the OpenVSwitch bridge antrea-agent will create and use. - # Make sure it doesn't conflict with your existing OpenVSwitch bridges. - #ovsBridge: br-int - - # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: - # - system - # - netdev - # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run - # OVS in userspace mode. Userspace mode requires the tun device driver to be available. - #ovsDatapathType: system - - # Name of the interface antrea-agent will create and use for host <--> pod communication. - # Make sure it doesn't conflict with your existing interfaces. - #hostGateway: antrea-gw0 - - # Determines how traffic is encapsulated. It has the following options: - # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network - # traffic is SNAT'd. - # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is - # SNAT'd if noSNAT is not set to true. Underlying network must be capable of - # supporting Pod traffic across IP subnets. - # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. - # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod - # IPAM and connectivity to the primary CNI. - # - #trafficEncapMode: encap - - # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. - # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap - # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to - # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never - # performs SNAT and this option will be ignored; for other modes it must be set to false. - #noSNAT: false - - # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, - # this option will not take effect. Supported values: - # - geneve (default) - # - vxlan - # - gre - # - stt - #tunnelType: geneve - - # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. - # It has the following options: - # - none (default): Inter-node Pod traffic will not be encrypted. - # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses - # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, - # the PSK value must be passed to Antrea Agent through an environment - # variable: ANTREA_IPSEC_PSK. - # - wireGuard: Enable WireGuard for tunnel traffic encryption. - #trafficEncryptionMode: none - - # Default MTU to use for the host gateway interface and the network interface of each Pod. - # If omitted, antrea-agent will discover the MTU of the Node's primary interface and - # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). - #defaultMTU: 0 - - # wireGuard specifies WireGuard related configurations. - wireGuard: - # The port for WireGuard to receive traffic. - # port: 51820 - - egress: - # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. - # exceptCIDRs: [] - - # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be - # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When - # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. - #serviceCIDR: 10.96.0.0/12 - - # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack - # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by - # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. - # No default value for this field. - #serviceCIDRv6: - - # The port for the antrea-agent APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-agent` container must be set to the same value. - #apiPort: 10350 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - #enablePrometheusMetrics: true - - # Provide the IPFIX collector address as a string with format :[][:]. - # HOST can either be the DNS name or the IP of the Flow Collector. For example, - # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect - # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. - # However, IPv6 address should be wrapped with []. - # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and - # "udp" protocols. "tls" is used for securing communication between flow exporter and - # flow aggregator. - #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" - - # Provide flow poll interval as a duration string. This determines how often the - # flow exporter dumps connections from the conntrack module. Flow poll interval - # should be greater than or equal to 1s (one second). - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #flowPollInterval: "5s" - - # Provide the active flow export timeout, which is the timeout after which a flow - # record is sent to the collector for active flows. Thus, for flows with a continuous - # stream of packets, a flow record will be exported to the collector once the elapsed - # time since the last export event is equal to the value of this timeout. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #activeFlowExportTimeout: "30s" - - # Provide the idle flow export timeout, which is the timeout after which a flow - # record is sent to the collector for idle flows. A flow is considered idle if no - # packet matching this flow has been observed since the last export event. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #idleFlowExportTimeout: "15s" - - nodePortLocal: - # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To - # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature - # gate is also enabled (which is the default). - # enable: false - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port - # from that range will be assigned whenever a Pod's container defines a specific port to be exposed - # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic - # directed to that port will be forwarded to the Pod. - # portRange: 61000-62000 - - # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. - # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. - #kubeAPIServerOverride: "" - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - #tlsCipherSuites: - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - #tlsMinVersion: - - # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. - # If there are multiple IP addresses configured on the interface, the first one is used. The IP - # address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - #transportInterface: - - # The names of the interfaces on Nodes that are used to forward multicast traffic. - # Defaults to transport interface if not set. - #multicastInterfaces: [] - - # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across - # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The - # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - #transportInterfaceCIDRs: [,] - - # Option antreaProxy contains AntreaProxy related configuration options. - antreaProxy: - # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, - # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy - # feature to be enabled. - # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access - # apiserver directly. - #proxyAll: false - # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. - # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. - # Note that the option is only valid when proxyAll is true. - #nodePortAddresses: [] - # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these - # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name - # with Namespace (e.g. kube-system/kube-dns) - #skipServices: [] - # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the - # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional - # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the - # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. - # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and - # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. - #proxyLoadBalancerIPs: true - antrea-cni.conflist: | - { - "cniVersion":"0.3.0", - "name": "antrea", - "plugins": [ - { - "type": "antrea", - "ipam": { - "type": "host-local" - } - }, - { - "type": "portmap", - "capabilities": {"portMappings": true} - }, - { - "type": "bandwidth", - "capabilities": {"bandwidth": true} - } - ] - } - antrea-controller.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: false - - # Run Kubernetes NodeIPAMController with Antrea. - # NodeIPAM: false - - # Enable flexible IPAM mode for Antrea. This mode allows to assign IP Ranges to Namespaces, - # Deployments and StatefulSets via IP Pool annotation. - # AntreaIPAM: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # The port for the antrea-controller APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-controller` container must be set to the same value. - #apiPort: 10349 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - #enablePrometheusMetrics: true - - # Indicates whether to use auto-generated self-signed TLS certificate. - # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: - # ca.crt: - # tls.crt: - # tls.key: - # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the - # antrea-controller container. - #selfSignedCert: true - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - #tlsCipherSuites: - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - #tlsMinVersion: - - # If Antrea is upgraded from version <= v0.13 and legacy CRDs are used, this option should be - # enabled, otherwise the CRDs created with the legacy API groups will not take any effect and - # work as expected. When the mirroring is enabled, if a legacy CRD is created with legacy API - # groups, mirroring-controller will create a new CRD with the Spec and Labels from the legacy - # CRD. Afterwards, the modification of Spec and Label in legacy CRD will be synchronized to new - # CRD automatically. In addition, the modification of Status in new CRD will also be synchronized - # to legacy CRD automatically. If a legacy CRD is deleted, the corresponding new CRD will be deleted. - # Note that: to decouple a new CRD from the corresponding legacy CRD, the legacy CRD should be - # annotated with "crd.antrea.io/stop-mirror". Afterwards, updates to the legacy CRDs will no - # longer be reflected in the new CRD, and all CRUD operations should be done through the new - # API groups. After adding the annotation, legacy CRDs can be deleted safely without impacting - # new CRDs. - #legacyCRDMirroring: true - - nodeIPAM: - # Enable the integrated Node IPAM controller within the Antrea controller. - # enableNodeIPAM: false - - # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. - # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. - # Value ignored when enableNodeIPAM is false. - # clusterCIDRs: [] - - # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. - # Value ignored when enableNodeIPAM is false. - # serviceCIDR: - # serviceCIDRv6: - - # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. - # nodeCIDRMaskSizeIPv4: 24 - - # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. - # nodeCIDRMaskSizeIPv6: 64 -kind: ConfigMap -metadata: - annotations: {} - labels: - app: antrea - name: antrea-config-2k82d6f6t4 - namespace: kube-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: antrea - name: antrea - namespace: kube-system -spec: - ports: - - port: 443 - protocol: TCP - targetPort: api - selector: - app: antrea - component: antrea-controller ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: antrea - component: antrea-controller - name: antrea-controller - namespace: kube-system -spec: - replicas: 1 - selector: - matchLabels: - app: antrea - component: antrea-controller - strategy: - type: Recreate - template: - metadata: - labels: - app: antrea - component: antrea-controller - spec: - containers: - - args: - - --config - - /etc/antrea/antrea-controller.conf - - --logtostderr=false - - --log_dir=/var/log/antrea - - --alsologtostderr - - --log_file_max_size=100 - - --log_file_max_num=4 - - --v=0 - command: - - antrea-controller - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: SERVICEACCOUNT_NAME - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ANTREA_CONFIG_MAP_NAME - value: antrea-config-2k82d6f6t4 - image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.5.3 - livenessProbe: - failureThreshold: 5 - httpGet: - host: localhost - path: /livez - port: api - scheme: HTTPS - periodSeconds: 10 - timeoutSeconds: 5 - name: antrea-controller - ports: - - containerPort: 10349 - name: api - protocol: TCP - readinessProbe: - failureThreshold: 5 - httpGet: - host: localhost - path: /readyz - port: api - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - requests: - cpu: 200m - volumeMounts: - - mountPath: /etc/antrea/antrea-controller.conf - name: antrea-config - readOnly: true - subPath: antrea-controller.conf - - mountPath: /var/run/antrea/antrea-controller-tls - name: antrea-controller-tls - - mountPath: /var/log/antrea - name: host-var-log-antrea - hostNetwork: true - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - serviceAccountName: antrea-controller - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - volumes: - - configMap: - name: antrea-config-2k82d6f6t4 - name: antrea-config - - name: antrea-controller-tls - secret: - defaultMode: 256 - optional: true - secretName: antrea-controller-tls - - hostPath: - path: /var/log/antrea - type: DirectoryOrCreate - name: host-var-log-antrea ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - labels: - app: antrea - name: v1alpha1.stats.antrea.io -spec: - group: stats.antrea.io - groupPriorityMinimum: 100 - service: - name: antrea - namespace: kube-system - version: v1alpha1 - versionPriority: 100 ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - labels: - app: antrea - name: v1alpha1.stats.antrea.tanzu.vmware.com -spec: - group: stats.antrea.tanzu.vmware.com - groupPriorityMinimum: 100 - service: - name: antrea - namespace: kube-system - version: v1alpha1 - versionPriority: 100 ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - labels: - app: antrea - name: v1beta1.system.antrea.io -spec: - group: system.antrea.io - groupPriorityMinimum: 100 - service: - name: antrea - namespace: kube-system - version: v1beta1 - versionPriority: 100 ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - labels: - app: antrea - name: v1beta1.system.antrea.tanzu.vmware.com -spec: - group: system.antrea.tanzu.vmware.com - groupPriorityMinimum: 100 - service: - name: antrea - namespace: kube-system - version: v1beta1 - versionPriority: 100 ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - labels: - app: antrea - name: v1beta2.controlplane.antrea.io -spec: - group: controlplane.antrea.io - groupPriorityMinimum: 100 - service: - name: antrea - namespace: kube-system - version: v1beta2 - versionPriority: 100 ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - labels: - app: antrea - name: v1beta2.controlplane.antrea.tanzu.vmware.com -spec: - group: controlplane.antrea.tanzu.vmware.com - groupPriorityMinimum: 100 - service: - name: antrea - namespace: kube-system - version: v1beta2 - versionPriority: 100 ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - app: antrea - component: antrea-agent - name: antrea-agent - namespace: kube-system -spec: - selector: - matchLabels: - app: antrea - component: antrea-agent - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: antrea-agent - labels: - app: antrea - component: antrea-agent - spec: - containers: - - args: - - --config - - /etc/antrea/antrea-agent.conf - - --logtostderr=false - - --log_dir=/var/log/antrea - - --alsologtostderr - - --log_file_max_size=100 - - --log_file_max_num=4 - - --v=0 - command: - - antrea-agent - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.5.3 - livenessProbe: - exec: - command: - - /bin/sh - - -c - - container_liveness_probe agent - failureThreshold: 5 - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - name: antrea-agent - ports: - - containerPort: 10350 - name: api - protocol: TCP - readinessProbe: - failureThreshold: 8 - httpGet: - host: localhost - path: /readyz - port: api - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - requests: - cpu: 200m - securityContext: - privileged: true - volumeMounts: - - mountPath: /etc/antrea/antrea-agent.conf - name: antrea-config - readOnly: true - subPath: antrea-agent.conf - - mountPath: /var/run/antrea - name: host-var-run-antrea - - mountPath: /var/run/openvswitch - name: host-var-run-antrea - subPath: openvswitch - - mountPath: /var/lib/cni - name: host-var-run-antrea - subPath: cni - - mountPath: /var/log/antrea - name: host-var-log-antrea - - mountPath: /host/proc - name: host-proc - readOnly: true - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: host-var-run-netns - readOnly: true - - mountPath: /run/xtables.lock - name: xtables-lock - - args: - - --log_file_max_size=100 - - --log_file_max_num=4 - command: - - start_ovs - image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.5.3 - livenessProbe: - exec: - command: - - /bin/sh - - -c - - timeout 10 container_liveness_probe ovs - failureThreshold: 5 - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 10 - name: antrea-ovs - resources: - requests: - cpu: 200m - securityContext: - capabilities: - add: - - SYS_NICE - - NET_ADMIN - - SYS_ADMIN - - IPC_LOCK - volumeMounts: - - mountPath: /var/run/openvswitch - name: host-var-run-antrea - subPath: openvswitch - - mountPath: /var/log/openvswitch - name: host-var-log-antrea - subPath: openvswitch - dnsPolicy: ClusterFirstWithHostNet - hostNetwork: true - initContainers: - - command: - - install_cni - image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.5.3 - name: install-cni - resources: - requests: - cpu: 100m - securityContext: - capabilities: - add: - - SYS_MODULE - volumeMounts: - - mountPath: /etc/antrea/antrea-cni.conflist - name: antrea-config - readOnly: true - subPath: antrea-cni.conflist - - mountPath: /host/etc/cni/net.d - name: host-cni-conf - - mountPath: /host/opt/cni/bin - name: host-cni-bin - - mountPath: /lib/modules - name: host-lib-modules - readOnly: true - - mountPath: /var/run/antrea - name: host-var-run-antrea - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-node-critical - serviceAccountName: antrea-agent - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - volumes: - - configMap: - name: antrea-config-2k82d6f6t4 - name: antrea-config - - hostPath: - path: /etc/cni/net.d - name: host-cni-conf - - hostPath: - path: /opt/cni/bin - name: host-cni-bin - - hostPath: - path: /proc - name: host-proc - - hostPath: - path: /var/run/netns - name: host-var-run-netns - - hostPath: - path: /var/run/antrea - type: DirectoryOrCreate - name: host-var-run-antrea - - hostPath: - path: /var/log/antrea - type: DirectoryOrCreate - name: host-var-log-antrea - - hostPath: - path: /lib/modules - name: host-lib-modules - - hostPath: - path: /run/xtables.lock - type: FileOrCreate - name: xtables-lock - updateStrategy: - type: RollingUpdate ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - labels: - app: antrea - name: crdmutator.antrea.io -webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /mutate/acnp - name: acnpmutator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusternetworkpolicies - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /mutate/anp - name: anpmutator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - networkpolicies - scope: Namespaced - sideEffects: None - timeoutSeconds: 5 ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - labels: - app: antrea - name: crdmutator.antrea.tanzu.vmware.com -webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /mutate/acnp - name: acnpmutator.antrea.tanzu.vmware.com - rules: - - apiGroups: - - security.antrea.tanzu.vmware.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusternetworkpolicies - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /mutate/anp - name: anpmutator.antrea.tanzu.vmware.com - rules: - - apiGroups: - - security.antrea.tanzu.vmware.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - networkpolicies - scope: Namespaced - sideEffects: None - timeoutSeconds: 5 ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - app: antrea - name: crdvalidator.antrea.io -webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/tier - name: tiervalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - - DELETE - resources: - - tiers - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/acnp - name: acnpvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusternetworkpolicies - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/anp - name: anpvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - networkpolicies - scope: Namespaced - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/clustergroup - name: clustergroupvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha3 - - v1alpha2 - operations: - - CREATE - - UPDATE - resources: - - clustergroups - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/externalippool - name: externalippoolvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - UPDATE - resources: - - externalippools - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/egress - name: egressvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - CREATE - - UPDATE - resources: - - egresses - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/ippool - name: ippoolvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - UPDATE - - DELETE - resources: - - ippools - scope: Cluster - sideEffects: None - timeoutSeconds: 5 ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - app: antrea - name: crdvalidator.antrea.tanzu.vmware.com -webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/tier - name: tiervalidator.antrea.tanzu.vmware.com - rules: - - apiGroups: - - security.antrea.tanzu.vmware.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - - DELETE - resources: - - tiers - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/acnp - name: acnpvalidator.antrea.tanzu.vmware.com - rules: - - apiGroups: - - security.antrea.tanzu.vmware.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusternetworkpolicies - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/anp - name: anpvalidator.antrea.tanzu.vmware.com - rules: - - apiGroups: - - security.antrea.tanzu.vmware.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - networkpolicies - scope: Namespaced - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/clustergroup - name: clustergroupvalidator.antrea.tanzu.vmware.com - rules: - - apiGroups: - - core.antrea.tanzu.vmware.com - apiVersions: - - v1alpha2 - operations: - - CREATE - - UPDATE - - DELETE - resources: - - clustergroups - scope: Cluster - sideEffects: None - timeoutSeconds: 5 diff --git a/test/integration/testdata/kube-flannel.yaml b/test/integration/testdata/kube-flannel.yaml new file mode 100644 index 0000000000..e5b98de1ff --- /dev/null +++ b/test/integration/testdata/kube-flannel.yaml @@ -0,0 +1,248 @@ +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: psp.flannel.unprivileged + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default + apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default +spec: + privileged: false + volumes: + - configMap + - secret + - emptyDir + - hostPath + allowedHostPaths: + - pathPrefix: "/etc/cni/net.d" + - pathPrefix: "/etc/kube-flannel" + - pathPrefix: "/run/flannel" + readOnlyRootFilesystem: false + # Users and groups + runAsUser: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + fsGroup: + rule: RunAsAny + # Privilege Escalation + allowPrivilegeEscalation: false + defaultAllowPrivilegeEscalation: false + # Capabilities + allowedCapabilities: ['NET_ADMIN', 'NET_RAW'] + defaultAddCapabilities: [] + requiredDropCapabilities: [] + # Host namespaces + hostPID: false + hostIPC: false + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + # SELinux + seLinux: + # SELinux is unused in CaaSP + rule: 'RunAsAny' +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: flannel +rules: +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: ['psp.flannel.unprivileged'] +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: flannel +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: flannel +subjects: +- kind: ServiceAccount + name: flannel + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: flannel + namespace: kube-system +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: kube-flannel-cfg + namespace: kube-system + labels: + tier: node + app: flannel +data: + cni-conf.json: | + { + "name": "cbr0", + "cniVersion": "0.3.1", + "plugins": [ + { + "type": "flannel", + "delegate": { + "hairpinMode": true, + "isDefaultGateway": true + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + net-conf.json: | + { + "Network": "10.244.0.0/16", + "Backend": { + "Type": "vxlan" + } + } +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: kube-flannel-ds + namespace: kube-system + labels: + tier: node + app: flannel +spec: + selector: + matchLabels: + app: flannel + template: + metadata: + labels: + tier: node + app: flannel + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + hostNetwork: true + priorityClassName: system-node-critical + tolerations: + - operator: Exists + effect: NoSchedule + serviceAccountName: flannel + initContainers: + - name: install-cni-plugin + #image: flannelcni/flannel-cni-plugin:v1.0.1 for ppc64le and mips64le (dockerhub limitations may apply) + image: rancher/mirrored-flannelcni-flannel-cni-plugin:v1.0.1 + command: + - cp + args: + - -f + - /flannel + - /opt/cni/bin/flannel + volumeMounts: + - name: cni-plugin + mountPath: /opt/cni/bin + - name: install-cni + #image: flannelcni/flannel:v0.17.0 for ppc64le and mips64le (dockerhub limitations may apply) + image: rancher/mirrored-flannelcni-flannel:v0.17.0 + command: + - cp + args: + - -f + - /etc/kube-flannel/cni-conf.json + - /etc/cni/net.d/10-flannel.conflist + volumeMounts: + - name: cni + mountPath: /etc/cni/net.d + - name: flannel-cfg + mountPath: /etc/kube-flannel/ + containers: + - name: kube-flannel + #image: flannelcni/flannel:v0.17.0 for ppc64le and mips64le (dockerhub limitations may apply) + image: rancher/mirrored-flannelcni-flannel:v0.17.0 + command: + - /opt/bin/flanneld + args: + - --ip-masq + - --kube-subnet-mgr + resources: + requests: + cpu: "100m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + securityContext: + privileged: false + capabilities: + add: ["NET_ADMIN", "NET_RAW"] + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: EVENT_QUEUE_DEPTH + value: "5000" + volumeMounts: + - name: run + mountPath: /run/flannel + - name: flannel-cfg + mountPath: /etc/kube-flannel/ + - name: xtables-lock + mountPath: /run/xtables.lock + volumes: + - name: run + hostPath: + path: /run/flannel + - name: cni-plugin + hostPath: + path: /opt/cni/bin + - name: cni + hostPath: + path: /etc/cni/net.d + - name: flannel-cfg + configMap: + name: kube-flannel-cfg + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate