- Fix race conditions in NetworkPolicyController. (#4028, @tnqn)
- Ensure NO_FLOOD is always set for IPsec tunnel ports and TrafficControl ports. (#4419 #4654 #4674, @xliuxu @tnqn)
- Fix Service routes being deleted on Agent startup on Windows. (#4470, @hongliangl)
- Fix Agent crash in dual-stack clusters when any Node is not configured with an IP address for each address family. (#4480, @hongliangl)
- Fix route deletion for Service ClusterIP and LoadBalancerIP when AntreaProxy is enabled. (#4711, @tnqn)
- Upgrade Antrea base image to ubuntu 22.04. (#4459, @antoninbas)
- Add OFSwitch connection check to Agent's liveness probes. (#4126, @tnqn)
- Improve install_cni_chaining to support updates to CNI config file. (#4012, @antoninbas)
- Add a periodic job to rejoin dead Nodes to fix Egress not working properly after long network downtime. (#4491, @tnqn)
- Fix connectivity issues caused by MAC address changes with systemd v242 and later. (#4428, @wenyingd)
- Fix potential deadlocks and memory leaks of memberlist maintenance in large-scale clusters. (#4469, @wenyingd)
- Fix Windows AddNodePort parameter error. (#4103, @XinShuYang)
- Set no-flood config with ports for TrafficControl after Agent restarting. (#4318, @hongliangl)
- Fix multicast group not removed from cache when it is uninstalled. (#4176, @wenyingd)
- Remove redundant Openflow messages when syncing an updated group to OVS. (#4160, @hongliangl)
- Fix Antrea Octant plugin build. (#4107, @antoninbas)
- Fix FlowExporter memory bloat when export process is dead. (#3994, @wsquan171)
- Fix Pod-to-external traffic on EKS in policyOnly mode. (#3975, @antoninbas)
- Use uplink interface name for host interface internal port to support DHCP client. (#3938, @gran-vmv)
- Add TrafficControl feature to control the transmission of Pod traffic; it allows users to mirror or redirect traffic originating from specific Pods or destined for specific Pods to a local network device or a remote destination via a tunnel of various types. (#3644 #3580 #3487, @tnqn @hongliangl @wenqiq)
- Refer to this document for more information about this feature.
- Refer to this cookbook for more information about using this feature to provide network-based intrusion detection service to your Pods.
- Add support for the IPsec Certificate-based Authentication. (#3778, @xliuxu)
- Add an Antrea Agent configuration option
ipsec.authenticationModeto specify authentication mode. Supported options are "psk" (default) and "cert". - Add an Antrea Controller configuration option
ipsecCSRSigner.autoApproveto specify the auto-approve policy of Antrea CSR signer for IPsec certificates management. By default, Antrea will auto-approve the CertificateSingingRequest (CSR) if it is verified. - Add an Antrea Controller configuration option
ipsecCSRSigner.selfSignedCAto specify whether to use auto-generated self-signed CA certificate. By default, Antrea will auto-generate a self-signed CA certificate.
- Add an Antrea Agent configuration option
- Add the following capabilities to Antrea-native policies:
- Add the following capabilities to the Multicast feature:
- Add
antctl get podmulticaststatscommand to query Pod-level multicast traffic statistics in Agent mode. (#3449, @ceclinux) - Add "MulticastGroup" API to query Pods that have joined multicast groups;
kubectl get multicastgroupscan generate requests and output responses of the API. (#3354 #3449, @ceclinux) - Add an Antrea Agent configuration option
multicast.igmpQueryIntervalto specify the interval at which the antrea-agent sends IGMP queries to Pods. (#3819, @liu4480)
- Add
- Add the following capabilities to the Multi-cluster feature:
- Add the Multi-cluster Gateway functionality which supports routing Multi-cluster Service traffic across clusters through tunnels between the Gateway Nodes. It enables Multi-cluster Service access across clusters, without requiring direct reachability of Pod IPs between clusters. (#3689 #3463 #3603, @luolanzone)
- Add a number of
antctl mcsubcommands for bootstrapping Multi-cluster; refer to the Multi-cluster antct document for more information. (#3474, @hjiajing)
- Add the following capabilities to secondary network IPAM:
- Add support for NodePortLocal on Windows. (#3453, @XinShuYang)
- Add support for Traceflow on Windows. (#3022, @gran-vmv)
- Add support for containerd to antrea-eks-node-init.yml. (#3840, @antoninbas)
- Add an Antrea Agent configuration option
disableTXChecksumOffloadto support cases in which the datapath's TX checksum offloading does not work properly. (#3832, @tnqn) - Add support for InternalTrafficPolicy in AntreaProxy. (#2792, @hongliangl)
- Add the following documentations:
- Add documentation for the Antrea Agent RBAC permissions and how to restrict them using Gatekeeper/OPA. (#3694, @antoninbas)
- Add quick start guide for Antrea Multi-cluster. (#3853, @luolanzone @jianjuns)
- Add documentation for the AntreaProxy feature. (#3679, @antoninbas)
- Add documentation for secondary network IPAM. (#3634, @jianjuns)
- Optimize generic traffic performance by reducing OVS packet recirculation. (#3858, @tnqn)
- Optimize NodePort traffic performance by reducing OVS packet recirculation. (#3862, @hongliangl)
- Improve validation for IPPool CRD. (#3570, @jianjuns)
- Improve validation for
egress.to.namespaces.matchof AntreaClusterNetworkPolicy rules. (#3727, @qiyueyao) - Deprecate the Antrea Agent configuration option
multicastInterfacesin favor ofmulticast.multicastInterfaces. (#3898, @tnqn) - Reduce permissions of Antrea Agent ServiceAccount. (#3691, @xliuxu)
- Create a Secret in the Antrea manifest for the antctl and antrea-agent ServiceAccount as K8s v1.24 no longer creates a token for each ServiceAccount automatically. (#3730, @antoninbas)
- Implement garbage collector for IP Pools to clean up allocations and reservations for which owner no longer exists. (#3672, @annakhm)
- Preserve client IP if the selected Endpoint is local regardless of ExternalTrafficPolicy. (#3604, @hongliangl)
- Add a Helm chart for Antrea and use the Helm templates to generate the standard Antrea YAML manifests. (#3578, @antoninbas)
- Make "Agent mode" antctl work out-of-the-box on Windows. (#3645, @antoninbas)
- Truncate SessionAffinity timeout values of Services instead of wrapping around. (#3609, @antoninbas)
- Move Antrea Windows log dir from
C:\k\antrea\logs\toC:\var\log\antrea\. (#3416, @GraysonWu) - Limit max number of data values displayed on Grafana panels. (#3812, @heanlan)
- Support deploying ClickHouse with Persistent Volume. (#3608, @yanjunz97)
- Remove support for ELK Flow Collector. (#3738, @heanlan)
- Improve documentation for Antrea-native policies. (#3512, @Dyanngg)
- Update OVS version to 2.17.0. (#3591, @antoninbas)
- Fix Egress not working with kube-proxy IPVS strictARP mode. (#3837, @xliuxu)
- Fix intra-Node Pod traffic bypassing Ingress NetworkPolicies in some scenarios. (#3809, @hongliangl)
- Fix FQDN policy support for IPv6. (#3869, @tnqn)
- Fix multicast not working if the AntreaPolicy feature is disabled. (#3807, @liu4480)
- Fix tolerations for Pods running on control-plane for Kubernetes >= 1.24. (#3731, @xliuxu)
- Fix DNS resolution error of antrea-agent on AKS by using
ClusterFirstdnsPolicy. (#3701, @tnqn) - Clean up stale routes installed by AntreaProxy when ProxyAll is disabled. (#3465, @hongliangl)
- Ensure that Service traffic does not bypass NetworkPolicies when ProxyAll is enabled on Windows. (#3510, @hongliangl)
- Use IP and MAC to find virtual management adapter to fix Agent crash in some scenarios on Windows. (#3641, @wenyingd)
- Fix handling of the "reject" packets generated by the Antrea Agent to avoid infinite looping. (#3569, @GraysonWu)
- Fix export/import of Services with named ports when using the Antrea Multi-cluster feature. (#3561, @luolanzone)
- Fix Multi-cluster importer not working after leader controller restarts. (#3596, @luolanzone)
- Fix Endpoint ResourceExports not cleaned up after corresponding Service is deleted. (#3652, @luolanzone)
- Fix pool CRD format in egress.md and service-loadbalancer.md. (#3885, @jianjuns)
- Fix infinite looping when Agent tries to delete a non-existing route. (#3827, @hongliangl)
- Fix race condition in ConntrackConnectionStore and FlowExporter. (#3655, @heanlan)