diff --git a/test/integration/net_test.go b/test/integration/net_test.go index 93e2666b47..4556172302 100644 --- a/test/integration/net_test.go +++ b/test/integration/net_test.go @@ -61,7 +61,7 @@ func TestNetworkPlugins(t *testing.T) { {"flannel", []string{"--cni=flannel"}, "cni", "app=flannel", true}, {"kindnet", []string{"--cni=kindnet"}, "cni", "app=kindnet", true}, {"false", []string{"--cni=false"}, "", "", false}, - {"custom-antrea", []string{fmt.Sprintf("--cni=%s", filepath.Join(*testdataDir, "antrea.yaml"))}, "cni", "", true}, + {"custom-flannel", []string{fmt.Sprintf("--cni=%s", filepath.Join(*testdataDir, "kube-flannel.yaml"))}, "cni", "", true}, {"calico", []string{"--cni=calico"}, "cni", "k8s-app=calico-node", true}, {"cilium", []string{"--cni=cilium"}, "cni", "k8s-app=cilium", true}, } diff --git a/test/integration/testdata/antrea.yaml b/test/integration/testdata/antrea.yaml deleted file mode 100644 index beb5bab289..0000000000 --- a/test/integration/testdata/antrea.yaml +++ /dev/null @@ -1,5137 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com -spec: - group: clusterinformation.antrea.tanzu.vmware.com - names: - kind: AntreaAgentInfo - plural: antreaagentinfos - shortNames: - - laai - singular: antreaagentinfo - scope: Cluster - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: antreaagentinfos.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: AntreaAgentInfo - plural: antreaagentinfos - shortNames: - - aai - singular: antreaagentinfo - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Health status of this Agent - jsonPath: .agentConditions[?(@.type=='AgentHealthy')].status - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: .agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime - name: Last Heartbeat - type: date - - description: Version of this Agent - jsonPath: .version - name: Version - priority: 1 - type: string - - description: Node on which this Agent is running - jsonPath: .nodeRef.name - name: Node - priority: 1 - type: string - - description: Number of local Pods managed by this Agent - jsonPath: .localPodNum - name: Num Pods - priority: 2 - type: integer - - description: Subnets used by this Agent for Pod IPAM - jsonPath: .nodeSubnets - name: Subnets - priority: 2 - type: string - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com -spec: - group: clusterinformation.antrea.tanzu.vmware.com - names: - kind: AntreaControllerInfo - plural: antreacontrollerinfos - shortNames: - - laci - singular: antreacontrollerinfo - scope: Cluster - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: antreacontrollerinfos.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: AntreaControllerInfo - plural: antreacontrollerinfos - shortNames: - - aci - singular: antreacontrollerinfo - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Health status of the Controller - jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].status - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: .controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime - name: Last Heartbeat - type: date - - description: Version of the Controller - jsonPath: .version - name: Version - priority: 1 - type: string - - description: Number of Agents connected to the Controller - jsonPath: .connectedAgentNum - name: Connected Agents - priority: 1 - type: integer - - description: Node on which the Controller is running - jsonPath: .nodeRef.name - name: Node - priority: 1 - type: string - - description: Number of Network Policies computed by Controller - jsonPath: .networkPolicyControllerInfo.networkPolicyNum - name: Num Network Policies - priority: 2 - type: integer - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: clustergroups.core.antrea.tanzu.vmware.com -spec: - group: core.antrea.tanzu.vmware.com - names: - kind: ClusterGroup - plural: clustergroups - shortNames: - - lcg - singular: group - scope: Cluster - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - childGroups: - items: - type: string - type: array - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - ipBlocks: - items: - properties: - cidr: - format: cidr - type: string - type: object - type: array - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceReference: - properties: - name: - type: string - namespace: - type: string - type: object - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - type: string - status: - type: string - type: - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: clustergroups.crd.antrea.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: antrea - namespace: kube-system - path: /convert/clustergroup - conversionReviewVersions: - - v1 - - v1beta1 - group: crd.antrea.io - names: - kind: ClusterGroup - plural: clustergroups - shortNames: - - cg - singular: clustergroup - scope: Cluster - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - childGroups: - items: - type: string - type: array - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - ipBlocks: - items: - properties: - cidr: - format: cidr - type: string - type: object - type: array - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceReference: - properties: - name: - type: string - namespace: - type: string - type: object - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - type: string - status: - type: string - type: - type: string - type: object - type: array - type: object - type: object - served: true - storage: false - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - properties: - childGroups: - items: - type: string - type: array - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlocks: - items: - properties: - cidr: - format: cidr - type: string - type: object - type: array - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - serviceReference: - properties: - name: - type: string - namespace: - type: string - type: object - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - type: string - status: - type: string - type: - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: clusternetworkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ClusterNetworkPolicy - plural: clusternetworkpolicies - shortNames: - - acnp - singular: clusternetworkpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The Tier to which this ClusterNetworkPolicy belongs to. - jsonPath: .spec.tier - name: Tier - type: string - - description: The Priority of this ClusterNetworkPolicy relative to other policies. - format: float - jsonPath: .spec.priority - name: Priority - type: number - - description: The total number of Nodes that should realize the NetworkPolicy. - format: int32 - jsonPath: .status.desiredNodesRealized - name: Desired Nodes - type: number - - description: The number of Nodes that have realized the NetworkPolicy. - format: int32 - jsonPath: .status.currentNodesRealized - name: Current Nodes - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - egress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - to: - items: - properties: - fqdn: - type: string - group: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - properties: - match: - type: string - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - toServices: - items: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: array - required: - - action - type: object - type: array - ingress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - from: - items: - properties: - group: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - properties: - match: - enum: - - Self - type: string - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - required: - - action - type: object - type: array - priority: - format: float - maximum: 10000 - minimum: 1 - type: number - tier: - type: string - required: - - priority - type: object - status: - properties: - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - observedGeneration: - type: integer - phase: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: clusternetworkpolicies.security.antrea.tanzu.vmware.com -spec: - group: security.antrea.tanzu.vmware.com - names: - kind: ClusterNetworkPolicy - plural: clusternetworkpolicies - shortNames: - - lacnp - singular: clusternetworkpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The Tier to which this ClusterNetworkPolicy belongs to. - jsonPath: .spec.tier - name: Tier - type: string - - description: The Priority of this ClusterNetworkPolicy relative to other policies. - format: float - jsonPath: .spec.priority - name: Priority - type: number - - description: The total number of Nodes that should realize the NetworkPolicy. - format: int32 - jsonPath: .status.desiredNodesRealized - name: Desired Nodes - type: number - - description: The number of Nodes that have realized the NetworkPolicy. - format: int32 - jsonPath: .status.currentNodesRealized - name: Current Nodes - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - egress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - to: - items: - properties: - group: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - properties: - match: - type: string - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - required: - - action - type: object - type: array - ingress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - group: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - from: - items: - properties: - group: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - properties: - match: - type: string - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - required: - - action - type: object - type: array - priority: - format: float - maximum: 10000 - minimum: 1 - type: number - tier: - type: string - required: - - priority - type: object - status: - properties: - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - observedGeneration: - type: integer - phase: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: egresses.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Egress - plural: egresses - shortNames: - - eg - singular: egress - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Specifies the SNAT IP address for the selected workloads. - jsonPath: .spec.egressIP - name: EgressIP - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - anyOf: - - required: - - egressIP - - required: - - externalIPPool - properties: - appliedTo: - properties: - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - egressIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - externalIPPool: - type: string - required: - - appliedTo - type: object - status: - properties: - egressNode: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalentities.core.antrea.tanzu.vmware.com -spec: - group: core.antrea.tanzu.vmware.com - names: - kind: ExternalEntity - plural: externalentities - shortNames: - - lee - singular: externalentity - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - endpoints: - items: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - name: - type: string - type: object - type: array - externalNode: - type: string - ports: - items: - properties: - name: - type: string - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - served: false - storage: false ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalentities.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalEntity - plural: externalentities - shortNames: - - ee - singular: externalentity - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - endpoints: - items: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - name: - type: string - type: object - type: array - externalNode: - type: string - ports: - items: - properties: - name: - type: string - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - served: false - storage: false ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: externalippools.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: ExternalIPPool - plural: externalippools - shortNames: - - eip - singular: externalippool - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - ipRanges: - items: - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - type: object - type: array - nodeSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - required: - - ipRanges - - nodeSelector - type: object - status: - properties: - usage: - properties: - total: - type: integer - used: - type: integer - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: ippools.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: IPPool - plural: ippools - shortNames: - - ipp - singular: ippool - scope: Cluster - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - ipRanges: - items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength - properties: - cidr: - format: cidr - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - vlan: - type: string - type: object - type: array - ipVersion: - type: integer - required: - - ipVersion - - ipRanges - type: object - status: - properties: - ipAddresses: - items: - properties: - ipAddress: - type: string - owner: - properties: - pod: - properties: - containerID: - type: string - name: - type: string - namespace: - type: string - type: object - statefulSet: - properties: - index: - type: integer - name: - type: string - namespace: - type: string - type: object - type: object - phase: - type: string - type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: networkpolicies.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: NetworkPolicy - plural: networkpolicies - shortNames: - - anp - singular: networkpolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The Tier to which this Antrea NetworkPolicy belongs to. - jsonPath: .spec.tier - name: Tier - type: string - - description: The Priority of this Antrea NetworkPolicy relative to other policies. - format: float - jsonPath: .spec.priority - name: Priority - type: number - - description: The total number of Nodes that should realize the NetworkPolicy. - format: int32 - jsonPath: .status.desiredNodesRealized - name: Desired Nodes - type: number - - description: The number of Nodes that have realized the NetworkPolicy. - format: int32 - jsonPath: .status.currentNodesRealized - name: Current Nodes - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - egress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - to: - items: - properties: - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - fqdn: - type: string - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - toServices: - items: - properties: - name: - type: string - namespace: - type: string - required: - - name - type: object - type: array - required: - - action - type: object - type: array - ingress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - from: - items: - properties: - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - required: - - action - type: object - type: array - priority: - format: float - maximum: 10000 - minimum: 1 - type: number - tier: - type: string - required: - - priority - type: object - status: - properties: - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - observedGeneration: - type: integer - phase: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: networkpolicies.security.antrea.tanzu.vmware.com -spec: - group: security.antrea.tanzu.vmware.com - names: - kind: NetworkPolicy - plural: networkpolicies - shortNames: - - lanp - singular: networkpolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The Tier to which this Antrea NetworkPolicy belongs to. - jsonPath: .spec.tier - name: Tier - type: string - - description: The Priority of this Antrea NetworkPolicy relative to other policies. - format: float - jsonPath: .spec.priority - name: Priority - type: number - - description: The total number of Nodes that should realize the NetworkPolicy. - format: int32 - jsonPath: .status.desiredNodesRealized - name: Desired Nodes - type: number - - description: The number of Nodes that have realized the NetworkPolicy. - format: int32 - jsonPath: .status.currentNodesRealized - name: Current Nodes - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - egress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - to: - items: - properties: - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - required: - - action - type: object - type: array - ingress: - items: - properties: - action: - enum: - - Allow - - Drop - - Reject - - Pass - type: string - appliedTo: - items: - properties: - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - enableLogging: - type: boolean - from: - items: - properties: - externalEntitySelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - ipBlock: - properties: - cidr: - format: cidr - type: string - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - name: - type: string - ports: - items: - properties: - endPort: - type: integer - port: - x-kubernetes-int-or-string: true - protocol: - type: string - type: object - type: array - required: - - action - type: object - type: array - priority: - format: float - maximum: 10000 - minimum: 1 - type: number - tier: - type: string - required: - - priority - type: object - status: - properties: - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - observedGeneration: - type: integer - phase: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: tiers.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Tier - plural: tiers - shortNames: - - tr - singular: tier - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The Priority of this Tier relative to other Tiers. - jsonPath: .spec.priority - name: Priority - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - description: - type: string - priority: - maximum: 255 - minimum: 0 - type: integer - required: - - priority - type: object - type: object - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: tiers.security.antrea.tanzu.vmware.com -spec: - group: security.antrea.tanzu.vmware.com - names: - kind: Tier - plural: tiers - shortNames: - - ltr - singular: tier - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The Priority of this Tier relative to other Tiers. - jsonPath: .spec.priority - name: Priority - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - description: - type: string - priority: - maximum: 255 - minimum: 0 - type: integer - required: - - priority - type: object - type: object - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: traceflows.crd.antrea.io -spec: - group: crd.antrea.io - names: - kind: Traceflow - plural: traceflows - shortNames: - - tf - singular: traceflow - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The phase of the Traceflow. - jsonPath: .status.phase - name: Phase - type: string - - description: The name of the source Pod. - jsonPath: .spec.source.pod - name: Source-Pod - priority: 10 - type: string - - description: The name of the destination Pod. - jsonPath: .spec.destination.pod - name: Destination-Pod - priority: 10 - type: string - - description: The IP address of the destination. - jsonPath: .spec.destination.ip - name: Destination-IP - priority: 10 - type: string - - description: Trace live traffic. - jsonPath: .spec.liveTraffic - name: Live-Traffic - priority: 10 - type: boolean - - description: Capture only the dropped packet. - jsonPath: .spec.droppedOnly - name: Dropped-Only - priority: 10 - type: boolean - - description: Timeout in seconds. - jsonPath: .spec.timeout - name: Timeout - priority: 10 - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - destination: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - namespace: - type: string - pod: - type: string - service: - type: string - type: object - droppedOnly: - type: boolean - liveTraffic: - type: boolean - packet: - properties: - ipHeader: - properties: - flags: - type: integer - protocol: - type: integer - srcIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - ttl: - type: integer - type: object - ipv6Header: - properties: - hopLimit: - type: integer - nextHeader: - type: integer - srcIP: - format: ipv6 - type: string - type: object - transportHeader: - properties: - icmp: - properties: - id: - type: integer - sequence: - type: integer - type: object - tcp: - properties: - dstPort: - type: integer - flags: - type: integer - srcPort: - type: integer - type: object - udp: - properties: - dstPort: - type: integer - srcPort: - type: integer - type: object - type: object - type: object - source: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - namespace: - type: string - pod: - type: string - type: object - timeout: - type: integer - type: object - status: - properties: - capturedPacket: - properties: - dstIP: - type: string - ipHeader: - properties: - flags: - type: integer - protocol: - type: integer - ttl: - type: integer - type: object - ipv6Header: - properties: - hopLimit: - type: integer - nextHeader: - type: integer - type: object - length: - type: integer - srcIP: - type: string - transportHeader: - properties: - icmp: - properties: - id: - type: integer - sequence: - type: integer - type: object - tcp: - properties: - dstPort: - type: integer - flags: - type: integer - srcPort: - type: integer - type: object - udp: - properties: - dstPort: - type: integer - srcPort: - type: integer - type: object - type: object - type: object - dataplaneTag: - type: integer - phase: - type: string - reason: - type: string - results: - items: - properties: - node: - type: string - observations: - items: - properties: - action: - type: string - component: - type: string - componentInfo: - type: string - dstMAC: - type: string - networkPolicy: - type: string - pod: - type: string - translatedDstIP: - type: string - translatedSrcIP: - type: string - ttl: - type: integer - tunnelDstIP: - type: string - type: object - type: array - role: - type: string - timestamp: - type: integer - type: object - type: array - startTime: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: antrea - name: traceflows.ops.antrea.tanzu.vmware.com -spec: - group: ops.antrea.tanzu.vmware.com - names: - kind: Traceflow - plural: traceflows - shortNames: - - ltf - singular: traceflow - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The phase of the Traceflow. - jsonPath: .status.phase - name: Phase - type: string - - description: The name of the source Pod. - jsonPath: .spec.source.pod - name: Source-Pod - priority: 10 - type: string - - description: The name of the destination Pod. - jsonPath: .spec.destination.pod - name: Destination-Pod - priority: 10 - type: string - - description: The IP address of the destination. - jsonPath: .spec.destination.ip - name: Destination-IP - priority: 10 - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - destination: - properties: - ip: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - namespace: - type: string - pod: - type: string - service: - type: string - type: object - packet: - properties: - ipHeader: - properties: - flags: - type: integer - protocol: - type: integer - srcIP: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - ttl: - type: integer - type: object - ipv6Header: - properties: - hopLimit: - type: integer - nextHeader: - type: integer - srcIP: - format: ipv6 - type: string - type: object - transportHeader: - properties: - icmp: - properties: - id: - type: integer - sequence: - type: integer - type: object - tcp: - properties: - dstPort: - type: integer - flags: - type: integer - srcPort: - type: integer - type: object - udp: - properties: - dstPort: - type: integer - srcPort: - type: integer - type: object - type: object - type: object - source: - properties: - namespace: - type: string - pod: - type: string - required: - - pod - - namespace - type: object - required: - - source - type: object - status: - properties: - dataplaneTag: - type: integer - phase: - type: string - reason: - type: string - results: - items: - properties: - node: - type: string - observations: - items: - properties: - action: - type: string - component: - type: string - componentInfo: - type: string - dstMAC: - type: string - networkPolicy: - type: string - pod: - type: string - translatedDstIP: - type: string - translatedSrcIP: - type: string - ttl: - type: integer - tunnelDstIP: - type: string - type: object - type: array - role: - type: string - timestamp: - type: integer - type: object - type: array - startTime: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antctl - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antrea-agent - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: antrea - name: antrea-controller - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-antrea-clustergroups-edit -rules: -- apiGroups: - - core.antrea.tanzu.vmware.com - resources: - - clustergroups - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - crd.antrea.io - resources: - - clustergroups - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-antrea-clustergroups-view -rules: -- apiGroups: - - core.antrea.tanzu.vmware.com - resources: - - clustergroups - verbs: - - get - - list - - watch -- apiGroups: - - crd.antrea.io - resources: - - clustergroups - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-antrea-policies-edit -rules: -- apiGroups: - - security.antrea.tanzu.vmware.com - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-antrea-policies-view -rules: -- apiGroups: - - security.antrea.tanzu.vmware.com - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - list - - watch -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: aggregate-traceflows-edit -rules: -- apiGroups: - - ops.antrea.tanzu.vmware.com - resources: - - traceflows - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - crd.antrea.io - resources: - - traceflows - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: aggregate-traceflows-view -rules: -- apiGroups: - - ops.antrea.tanzu.vmware.com - resources: - - traceflows - verbs: - - get - - list - - watch -- apiGroups: - - crd.antrea.io - resources: - - traceflows - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antctl -rules: -- apiGroups: - - controlplane.antrea.tanzu.vmware.com - - controlplane.antrea.io - resources: - - networkpolicies - - appliedtogroups - - addressgroups - verbs: - - get - - list -- apiGroups: - - stats.antrea.tanzu.vmware.com - - stats.antrea.io - resources: - - networkpolicystats - - antreaclusternetworkpolicystats - - antreanetworkpolicystats - verbs: - - get - - list -- apiGroups: - - system.antrea.tanzu.vmware.com - - system.antrea.io - resources: - - controllerinfos - - agentinfos - verbs: - - get -- apiGroups: - - system.antrea.tanzu.vmware.com - - system.antrea.io - resources: - - supportbundles - verbs: - - get - - post -- apiGroups: - - system.antrea.tanzu.vmware.com - - system.antrea.io - resources: - - supportbundles/download - verbs: - - get -- nonResourceURLs: - - /agentinfo - - /addressgroups - - /appliedtogroups - - /loglevel - - /networkpolicies - - /ovsflows - - /ovstracing - - /podinterfaces - - /featuregates - - /serviceexternalip - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-agent -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - pods/status - verbs: - - patch -- apiGroups: - - "" - resources: - - endpoints - - services - - namespaces - verbs: - - get - - watch - - list -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - watch - - list -- apiGroups: - - clusterinformation.antrea.tanzu.vmware.com - - crd.antrea.io - resources: - - antreaagentinfos - verbs: - - get - - create - - update - - delete -- apiGroups: - - controlplane.antrea.tanzu.vmware.com - - controlplane.antrea.io - resources: - - networkpolicies - - appliedtogroups - - addressgroups - verbs: - - get - - watch - - list -- apiGroups: - - controlplane.antrea.io - resources: - - egressgroups - verbs: - - get - - watch - - list -- apiGroups: - - controlplane.antrea.tanzu.vmware.com - - controlplane.antrea.io - resources: - - nodestatssummaries - verbs: - - create -- apiGroups: - - controlplane.antrea.tanzu.vmware.com - - controlplane.antrea.io - resources: - - networkpolicies/status - verbs: - - create - - get -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - "" - resourceNames: - - extension-apiserver-authentication - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - antrea-ca - resources: - - configmaps - verbs: - - get - - watch - - list -- apiGroups: - - ops.antrea.tanzu.vmware.com - - crd.antrea.io - resources: - - traceflows - - traceflows/status - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - egresses - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - egresses/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - externalippools - - ippools - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - ippools/status - verbs: - - update -- apiGroups: - - k8s.cni.cncf.io - resources: - - network-attachment-definitions - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-cluster-identity-reader -rules: -- apiGroups: - - "" - resourceNames: - - antrea-cluster-identity - resources: - - configmaps - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: antrea - name: antrea-controller -rules: -- apiGroups: - - "" - resources: - - pods - - services - - namespaces - - configmaps - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - watch - - list - - patch -- apiGroups: - - "" - resources: - - services/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - watch - - list -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - update -- apiGroups: - - "" - resourceNames: - - extension-apiserver-authentication - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - antrea-ca - - antrea-cluster-identity - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create -- apiGroups: - - apiregistration.k8s.io - resourceNames: - - v1alpha1.stats.antrea.tanzu.vmware.com - - v1beta1.system.antrea.tanzu.vmware.com - - v1beta2.controlplane.antrea.tanzu.vmware.com - - v1alpha1.stats.antrea.io - - v1beta1.system.antrea.io - - v1beta2.controlplane.antrea.io - resources: - - apiservices - verbs: - - get - - update -- apiGroups: - - apiregistration.k8s.io - resourceNames: - - v1beta1.networking.antrea.tanzu.vmware.com - - v1beta1.controlplane.antrea.tanzu.vmware.com - resources: - - apiservices - verbs: - - delete -- apiGroups: - - admissionregistration.k8s.io - resourceNames: - - crdmutator.antrea.tanzu.vmware.com - - crdvalidator.antrea.tanzu.vmware.com - - labelsmutator.antrea.io - - crdmutator.antrea.io - - crdvalidator.antrea.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - get - - update -- apiGroups: - - crd.antrea.io - resources: - - antreacontrollerinfos - verbs: - - get - - create - - update - - delete -- apiGroups: - - crd.antrea.io - resources: - - antreaagentinfos - verbs: - - list - - delete -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - clusternetworkpolicies/status - - networkpolicies/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - tiers - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - traceflows - - traceflows/status - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - externalentities - - clustergroups - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - crd.antrea.io - resources: - - clustergroups/status - verbs: - - update -- apiGroups: - - crd.antrea.io - resources: - - egresses - verbs: - - get - - watch - - list - - update - - patch -- apiGroups: - - crd.antrea.io - resources: - - externalippools - - ippools - verbs: - - get - - watch - - list -- apiGroups: - - crd.antrea.io - resources: - - externalippools/status - - ippools/status - verbs: - - update -- apiGroups: - - apps - resources: - - statefulsets - verbs: - - get - - list - - watch -- apiGroups: - - clusterinformation.antrea.tanzu.vmware.com - resources: - - antreacontrollerinfos - verbs: - - get - - create - - update - - delete -- apiGroups: - - clusterinformation.antrea.tanzu.vmware.com - resources: - - antreaagentinfos - verbs: - - list - - delete -- apiGroups: - - security.antrea.tanzu.vmware.com - resources: - - clusternetworkpolicies - - networkpolicies - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - security.antrea.tanzu.vmware.com - resources: - - clusternetworkpolicies/status - - networkpolicies/status - verbs: - - update -- apiGroups: - - security.antrea.tanzu.vmware.com - resources: - - tiers - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - ops.antrea.tanzu.vmware.com - resources: - - traceflows - - traceflows/status - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - core.antrea.tanzu.vmware.com - resources: - - externalentities - - clustergroups - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - core.antrea.tanzu.vmware.com - resources: - - clustergroups/status - verbs: - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antctl - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antctl -subjects: -- kind: ServiceAccount - name: antctl - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antrea-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antrea-agent -subjects: -- kind: ServiceAccount - name: antrea-agent - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: antrea - name: antrea-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antrea-controller -subjects: -- kind: ServiceAccount - name: antrea-controller - namespace: kube-system ---- -apiVersion: v1 -data: - antrea-agent.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. - # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on - # Service traffic. - # AntreaProxy: true - - # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice - # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, - # this flag will not take effect. - # EndpointSlice: false - - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable NodePortLocal feature to make the Pods reachable externally through NodePort - # NodePortLocal: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each - # agent to a configured collector. - # FlowExporter: false - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: false - - # Enable flexible IPAM mode for Antrea. This mode allows to assign IP Ranges to Namespaces, - # Deployments and StatefulSets via IP Pool annotation. - # AntreaIPAM: false - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Name of the OpenVSwitch bridge antrea-agent will create and use. - # Make sure it doesn't conflict with your existing OpenVSwitch bridges. - #ovsBridge: br-int - - # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: - # - system - # - netdev - # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run - # OVS in userspace mode. Userspace mode requires the tun device driver to be available. - #ovsDatapathType: system - - # Name of the interface antrea-agent will create and use for host <--> pod communication. - # Make sure it doesn't conflict with your existing interfaces. - #hostGateway: antrea-gw0 - - # Determines how traffic is encapsulated. It has the following options: - # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network - # traffic is SNAT'd. - # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is - # SNAT'd if noSNAT is not set to true. Underlying network must be capable of - # supporting Pod traffic across IP subnets. - # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. - # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod - # IPAM and connectivity to the primary CNI. - # - #trafficEncapMode: encap - - # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. - # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap - # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to - # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never - # performs SNAT and this option will be ignored; for other modes it must be set to false. - #noSNAT: false - - # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, - # this option will not take effect. Supported values: - # - geneve (default) - # - vxlan - # - gre - # - stt - #tunnelType: geneve - - # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. - # It has the following options: - # - none (default): Inter-node Pod traffic will not be encrypted. - # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses - # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, - # the PSK value must be passed to Antrea Agent through an environment - # variable: ANTREA_IPSEC_PSK. - # - wireGuard: Enable WireGuard for tunnel traffic encryption. - #trafficEncryptionMode: none - - # Default MTU to use for the host gateway interface and the network interface of each Pod. - # If omitted, antrea-agent will discover the MTU of the Node's primary interface and - # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). - #defaultMTU: 0 - - # wireGuard specifies WireGuard related configurations. - wireGuard: - # The port for WireGuard to receive traffic. - # port: 51820 - - egress: - # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. - # exceptCIDRs: [] - - # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be - # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When - # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. - #serviceCIDR: 10.96.0.0/12 - - # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack - # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by - # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. - # No default value for this field. - #serviceCIDRv6: - - # The port for the antrea-agent APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-agent` container must be set to the same value. - #apiPort: 10350 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - #enablePrometheusMetrics: true - - # Provide the IPFIX collector address as a string with format :[][:]. - # HOST can either be the DNS name or the IP of the Flow Collector. For example, - # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect - # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. - # However, IPv6 address should be wrapped with []. - # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and - # "udp" protocols. "tls" is used for securing communication between flow exporter and - # flow aggregator. - #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" - - # Provide flow poll interval as a duration string. This determines how often the - # flow exporter dumps connections from the conntrack module. Flow poll interval - # should be greater than or equal to 1s (one second). - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #flowPollInterval: "5s" - - # Provide the active flow export timeout, which is the timeout after which a flow - # record is sent to the collector for active flows. Thus, for flows with a continuous - # stream of packets, a flow record will be exported to the collector once the elapsed - # time since the last export event is equal to the value of this timeout. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #activeFlowExportTimeout: "30s" - - # Provide the idle flow export timeout, which is the timeout after which a flow - # record is sent to the collector for idle flows. A flow is considered idle if no - # packet matching this flow has been observed since the last export event. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #idleFlowExportTimeout: "15s" - - nodePortLocal: - # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To - # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature - # gate is also enabled (which is the default). - # enable: false - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port - # from that range will be assigned whenever a Pod's container defines a specific port to be exposed - # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic - # directed to that port will be forwarded to the Pod. - # portRange: 61000-62000 - - # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. - # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. - #kubeAPIServerOverride: "" - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - #tlsCipherSuites: - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - #tlsMinVersion: - - # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. - # If there are multiple IP addresses configured on the interface, the first one is used. The IP - # address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - #transportInterface: - - # The names of the interfaces on Nodes that are used to forward multicast traffic. - # Defaults to transport interface if not set. - #multicastInterfaces: [] - - # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across - # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The - # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - #transportInterfaceCIDRs: [,] - - # Option antreaProxy contains AntreaProxy related configuration options. - antreaProxy: - # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, - # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy - # feature to be enabled. - # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access - # apiserver directly. - #proxyAll: false - # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. - # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. - # Note that the option is only valid when proxyAll is true. - #nodePortAddresses: [] - # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these - # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name - # with Namespace (e.g. kube-system/kube-dns) - #skipServices: [] - # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the - # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional - # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the - # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. - # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and - # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. - #proxyLoadBalancerIPs: true - antrea-cni.conflist: | - { - "cniVersion":"0.3.0", - "name": "antrea", - "plugins": [ - { - "type": "antrea", - "ipam": { - "type": "host-local" - } - }, - { - "type": "portmap", - "capabilities": {"portMappings": true} - }, - { - "type": "bandwidth", - "capabilities": {"bandwidth": true} - } - ] - } - antrea-controller.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: false - - # Run Kubernetes NodeIPAMController with Antrea. - # NodeIPAM: false - - # Enable flexible IPAM mode for Antrea. This mode allows to assign IP Ranges to Namespaces, - # Deployments and StatefulSets via IP Pool annotation. - # AntreaIPAM: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # The port for the antrea-controller APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-controller` container must be set to the same value. - #apiPort: 10349 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - #enablePrometheusMetrics: true - - # Indicates whether to use auto-generated self-signed TLS certificate. - # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: - # ca.crt: - # tls.crt: - # tls.key: - # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the - # antrea-controller container. - #selfSignedCert: true - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - #tlsCipherSuites: - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - #tlsMinVersion: - - # If Antrea is upgraded from version <= v0.13 and legacy CRDs are used, this option should be - # enabled, otherwise the CRDs created with the legacy API groups will not take any effect and - # work as expected. When the mirroring is enabled, if a legacy CRD is created with legacy API - # groups, mirroring-controller will create a new CRD with the Spec and Labels from the legacy - # CRD. Afterwards, the modification of Spec and Label in legacy CRD will be synchronized to new - # CRD automatically. In addition, the modification of Status in new CRD will also be synchronized - # to legacy CRD automatically. If a legacy CRD is deleted, the corresponding new CRD will be deleted. - # Note that: to decouple a new CRD from the corresponding legacy CRD, the legacy CRD should be - # annotated with "crd.antrea.io/stop-mirror". Afterwards, updates to the legacy CRDs will no - # longer be reflected in the new CRD, and all CRUD operations should be done through the new - # API groups. After adding the annotation, legacy CRDs can be deleted safely without impacting - # new CRDs. - #legacyCRDMirroring: true - - nodeIPAM: - # Enable the integrated Node IPAM controller within the Antrea controller. - # enableNodeIPAM: false - - # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. - # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. - # Value ignored when enableNodeIPAM is false. - # clusterCIDRs: [] - - # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. - # Value ignored when enableNodeIPAM is false. - # serviceCIDR: - # serviceCIDRv6: - - # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. - # nodeCIDRMaskSizeIPv4: 24 - - # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. - # nodeCIDRMaskSizeIPv6: 64 -kind: ConfigMap -metadata: - annotations: {} - labels: - app: antrea - name: antrea-config-2k82d6f6t4 - namespace: kube-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: antrea - name: antrea - namespace: kube-system -spec: - ports: - - port: 443 - protocol: TCP - targetPort: api - selector: - app: antrea - component: antrea-controller ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: antrea - component: antrea-controller - name: antrea-controller - namespace: kube-system -spec: - replicas: 1 - selector: - matchLabels: - app: antrea - component: antrea-controller - strategy: - type: Recreate - template: - metadata: - labels: - app: antrea - component: antrea-controller - spec: - containers: - - args: - - --config - - /etc/antrea/antrea-controller.conf - - --logtostderr=false - - --log_dir=/var/log/antrea - - --alsologtostderr - - --log_file_max_size=100 - - --log_file_max_num=4 - - --v=0 - command: - - antrea-controller - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: SERVICEACCOUNT_NAME - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ANTREA_CONFIG_MAP_NAME - value: antrea-config-2k82d6f6t4 - image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.5.3 - livenessProbe: - failureThreshold: 5 - httpGet: - host: localhost - path: /livez - port: api - scheme: HTTPS - periodSeconds: 10 - timeoutSeconds: 5 - name: antrea-controller - ports: - - containerPort: 10349 - name: api - protocol: TCP - readinessProbe: - failureThreshold: 5 - httpGet: - host: localhost - path: /readyz - port: api - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - requests: - cpu: 200m - volumeMounts: - - mountPath: /etc/antrea/antrea-controller.conf - name: antrea-config - readOnly: true - subPath: antrea-controller.conf - - mountPath: /var/run/antrea/antrea-controller-tls - name: antrea-controller-tls - - mountPath: /var/log/antrea - name: host-var-log-antrea - hostNetwork: true - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - serviceAccountName: antrea-controller - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - volumes: - - configMap: - name: antrea-config-2k82d6f6t4 - name: antrea-config - - name: antrea-controller-tls - secret: - defaultMode: 256 - optional: true - secretName: antrea-controller-tls - - hostPath: - path: /var/log/antrea - type: DirectoryOrCreate - name: host-var-log-antrea ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - labels: - app: antrea - name: v1alpha1.stats.antrea.io -spec: - group: stats.antrea.io - groupPriorityMinimum: 100 - service: - name: antrea - namespace: kube-system - version: v1alpha1 - versionPriority: 100 ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - labels: - app: antrea - name: v1alpha1.stats.antrea.tanzu.vmware.com -spec: - group: stats.antrea.tanzu.vmware.com - groupPriorityMinimum: 100 - service: - name: antrea - namespace: kube-system - version: v1alpha1 - versionPriority: 100 ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - labels: - app: antrea - name: v1beta1.system.antrea.io -spec: - group: system.antrea.io - groupPriorityMinimum: 100 - service: - name: antrea - namespace: kube-system - version: v1beta1 - versionPriority: 100 ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - labels: - app: antrea - name: v1beta1.system.antrea.tanzu.vmware.com -spec: - group: system.antrea.tanzu.vmware.com - groupPriorityMinimum: 100 - service: - name: antrea - namespace: kube-system - version: v1beta1 - versionPriority: 100 ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - labels: - app: antrea - name: v1beta2.controlplane.antrea.io -spec: - group: controlplane.antrea.io - groupPriorityMinimum: 100 - service: - name: antrea - namespace: kube-system - version: v1beta2 - versionPriority: 100 ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - labels: - app: antrea - name: v1beta2.controlplane.antrea.tanzu.vmware.com -spec: - group: controlplane.antrea.tanzu.vmware.com - groupPriorityMinimum: 100 - service: - name: antrea - namespace: kube-system - version: v1beta2 - versionPriority: 100 ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - app: antrea - component: antrea-agent - name: antrea-agent - namespace: kube-system -spec: - selector: - matchLabels: - app: antrea - component: antrea-agent - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: antrea-agent - labels: - app: antrea - component: antrea-agent - spec: - containers: - - args: - - --config - - /etc/antrea/antrea-agent.conf - - --logtostderr=false - - --log_dir=/var/log/antrea - - --alsologtostderr - - --log_file_max_size=100 - - --log_file_max_num=4 - - --v=0 - command: - - antrea-agent - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.5.3 - livenessProbe: - exec: - command: - - /bin/sh - - -c - - container_liveness_probe agent - failureThreshold: 5 - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - name: antrea-agent - ports: - - containerPort: 10350 - name: api - protocol: TCP - readinessProbe: - failureThreshold: 8 - httpGet: - host: localhost - path: /readyz - port: api - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - requests: - cpu: 200m - securityContext: - privileged: true - volumeMounts: - - mountPath: /etc/antrea/antrea-agent.conf - name: antrea-config - readOnly: true - subPath: antrea-agent.conf - - mountPath: /var/run/antrea - name: host-var-run-antrea - - mountPath: /var/run/openvswitch - name: host-var-run-antrea - subPath: openvswitch - - mountPath: /var/lib/cni - name: host-var-run-antrea - subPath: cni - - mountPath: /var/log/antrea - name: host-var-log-antrea - - mountPath: /host/proc - name: host-proc - readOnly: true - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: host-var-run-netns - readOnly: true - - mountPath: /run/xtables.lock - name: xtables-lock - - args: - - --log_file_max_size=100 - - --log_file_max_num=4 - command: - - start_ovs - image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.5.3 - livenessProbe: - exec: - command: - - /bin/sh - - -c - - timeout 10 container_liveness_probe ovs - failureThreshold: 5 - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 10 - name: antrea-ovs - resources: - requests: - cpu: 200m - securityContext: - capabilities: - add: - - SYS_NICE - - NET_ADMIN - - SYS_ADMIN - - IPC_LOCK - volumeMounts: - - mountPath: /var/run/openvswitch - name: host-var-run-antrea - subPath: openvswitch - - mountPath: /var/log/openvswitch - name: host-var-log-antrea - subPath: openvswitch - dnsPolicy: ClusterFirstWithHostNet - hostNetwork: true - initContainers: - - command: - - install_cni - image: projects.registry.vmware.com/antrea/antrea-ubuntu:v1.5.3 - name: install-cni - resources: - requests: - cpu: 100m - securityContext: - capabilities: - add: - - SYS_MODULE - volumeMounts: - - mountPath: /etc/antrea/antrea-cni.conflist - name: antrea-config - readOnly: true - subPath: antrea-cni.conflist - - mountPath: /host/etc/cni/net.d - name: host-cni-conf - - mountPath: /host/opt/cni/bin - name: host-cni-bin - - mountPath: /lib/modules - name: host-lib-modules - readOnly: true - - mountPath: /var/run/antrea - name: host-var-run-antrea - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-node-critical - serviceAccountName: antrea-agent - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - volumes: - - configMap: - name: antrea-config-2k82d6f6t4 - name: antrea-config - - hostPath: - path: /etc/cni/net.d - name: host-cni-conf - - hostPath: - path: /opt/cni/bin - name: host-cni-bin - - hostPath: - path: /proc - name: host-proc - - hostPath: - path: /var/run/netns - name: host-var-run-netns - - hostPath: - path: /var/run/antrea - type: DirectoryOrCreate - name: host-var-run-antrea - - hostPath: - path: /var/log/antrea - type: DirectoryOrCreate - name: host-var-log-antrea - - hostPath: - path: /lib/modules - name: host-lib-modules - - hostPath: - path: /run/xtables.lock - type: FileOrCreate - name: xtables-lock - updateStrategy: - type: RollingUpdate ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - labels: - app: antrea - name: crdmutator.antrea.io -webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /mutate/acnp - name: acnpmutator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusternetworkpolicies - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /mutate/anp - name: anpmutator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - networkpolicies - scope: Namespaced - sideEffects: None - timeoutSeconds: 5 ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - labels: - app: antrea - name: crdmutator.antrea.tanzu.vmware.com -webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /mutate/acnp - name: acnpmutator.antrea.tanzu.vmware.com - rules: - - apiGroups: - - security.antrea.tanzu.vmware.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusternetworkpolicies - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /mutate/anp - name: anpmutator.antrea.tanzu.vmware.com - rules: - - apiGroups: - - security.antrea.tanzu.vmware.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - networkpolicies - scope: Namespaced - sideEffects: None - timeoutSeconds: 5 ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - app: antrea - name: crdvalidator.antrea.io -webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/tier - name: tiervalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - - DELETE - resources: - - tiers - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/acnp - name: acnpvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusternetworkpolicies - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/anp - name: anpvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - networkpolicies - scope: Namespaced - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/clustergroup - name: clustergroupvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha3 - - v1alpha2 - operations: - - CREATE - - UPDATE - resources: - - clustergroups - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/externalippool - name: externalippoolvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - UPDATE - resources: - - externalippools - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/egress - name: egressvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - CREATE - - UPDATE - resources: - - egresses - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/ippool - name: ippoolvalidator.antrea.io - rules: - - apiGroups: - - crd.antrea.io - apiVersions: - - v1alpha2 - operations: - - UPDATE - - DELETE - resources: - - ippools - scope: Cluster - sideEffects: None - timeoutSeconds: 5 ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - app: antrea - name: crdvalidator.antrea.tanzu.vmware.com -webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/tier - name: tiervalidator.antrea.tanzu.vmware.com - rules: - - apiGroups: - - security.antrea.tanzu.vmware.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - - DELETE - resources: - - tiers - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/acnp - name: acnpvalidator.antrea.tanzu.vmware.com - rules: - - apiGroups: - - security.antrea.tanzu.vmware.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusternetworkpolicies - scope: Cluster - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/anp - name: anpvalidator.antrea.tanzu.vmware.com - rules: - - apiGroups: - - security.antrea.tanzu.vmware.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - networkpolicies - scope: Namespaced - sideEffects: None - timeoutSeconds: 5 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: antrea - namespace: kube-system - path: /validate/clustergroup - name: clustergroupvalidator.antrea.tanzu.vmware.com - rules: - - apiGroups: - - core.antrea.tanzu.vmware.com - apiVersions: - - v1alpha2 - operations: - - CREATE - - UPDATE - - DELETE - resources: - - clustergroups - scope: Cluster - sideEffects: None - timeoutSeconds: 5 diff --git a/test/integration/testdata/kube-flannel.yaml b/test/integration/testdata/kube-flannel.yaml new file mode 100644 index 0000000000..e5b98de1ff --- /dev/null +++ b/test/integration/testdata/kube-flannel.yaml @@ -0,0 +1,248 @@ +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: psp.flannel.unprivileged + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default + apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default +spec: + privileged: false + volumes: + - configMap + - secret + - emptyDir + - hostPath + allowedHostPaths: + - pathPrefix: "/etc/cni/net.d" + - pathPrefix: "/etc/kube-flannel" + - pathPrefix: "/run/flannel" + readOnlyRootFilesystem: false + # Users and groups + runAsUser: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + fsGroup: + rule: RunAsAny + # Privilege Escalation + allowPrivilegeEscalation: false + defaultAllowPrivilegeEscalation: false + # Capabilities + allowedCapabilities: ['NET_ADMIN', 'NET_RAW'] + defaultAddCapabilities: [] + requiredDropCapabilities: [] + # Host namespaces + hostPID: false + hostIPC: false + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + # SELinux + seLinux: + # SELinux is unused in CaaSP + rule: 'RunAsAny' +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: flannel +rules: +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: ['psp.flannel.unprivileged'] +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: flannel +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: flannel +subjects: +- kind: ServiceAccount + name: flannel + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: flannel + namespace: kube-system +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: kube-flannel-cfg + namespace: kube-system + labels: + tier: node + app: flannel +data: + cni-conf.json: | + { + "name": "cbr0", + "cniVersion": "0.3.1", + "plugins": [ + { + "type": "flannel", + "delegate": { + "hairpinMode": true, + "isDefaultGateway": true + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + net-conf.json: | + { + "Network": "10.244.0.0/16", + "Backend": { + "Type": "vxlan" + } + } +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: kube-flannel-ds + namespace: kube-system + labels: + tier: node + app: flannel +spec: + selector: + matchLabels: + app: flannel + template: + metadata: + labels: + tier: node + app: flannel + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + hostNetwork: true + priorityClassName: system-node-critical + tolerations: + - operator: Exists + effect: NoSchedule + serviceAccountName: flannel + initContainers: + - name: install-cni-plugin + #image: flannelcni/flannel-cni-plugin:v1.0.1 for ppc64le and mips64le (dockerhub limitations may apply) + image: rancher/mirrored-flannelcni-flannel-cni-plugin:v1.0.1 + command: + - cp + args: + - -f + - /flannel + - /opt/cni/bin/flannel + volumeMounts: + - name: cni-plugin + mountPath: /opt/cni/bin + - name: install-cni + #image: flannelcni/flannel:v0.17.0 for ppc64le and mips64le (dockerhub limitations may apply) + image: rancher/mirrored-flannelcni-flannel:v0.17.0 + command: + - cp + args: + - -f + - /etc/kube-flannel/cni-conf.json + - /etc/cni/net.d/10-flannel.conflist + volumeMounts: + - name: cni + mountPath: /etc/cni/net.d + - name: flannel-cfg + mountPath: /etc/kube-flannel/ + containers: + - name: kube-flannel + #image: flannelcni/flannel:v0.17.0 for ppc64le and mips64le (dockerhub limitations may apply) + image: rancher/mirrored-flannelcni-flannel:v0.17.0 + command: + - /opt/bin/flanneld + args: + - --ip-masq + - --kube-subnet-mgr + resources: + requests: + cpu: "100m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + securityContext: + privileged: false + capabilities: + add: ["NET_ADMIN", "NET_RAW"] + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: EVENT_QUEUE_DEPTH + value: "5000" + volumeMounts: + - name: run + mountPath: /run/flannel + - name: flannel-cfg + mountPath: /etc/kube-flannel/ + - name: xtables-lock + mountPath: /run/xtables.lock + volumes: + - name: run + hostPath: + path: /run/flannel + - name: cni-plugin + hostPath: + path: /opt/cni/bin + - name: cni + hostPath: + path: /etc/cni/net.d + - name: flannel-cfg + configMap: + name: kube-flannel-cfg + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate