Antrea v2.5.0

Added

• Introduce a new feature gate NFTablesHostNetworkMode and an option hostNetworkMode to support nftables for proxyAll rules installed in the Node's host network by AntreaProxy. (#7545, @hongliangl)
• Add support for Antrea Egress in hybrid mode. (#7239, @hongliangl)
• Add direction flag to antctl packetcapture command. (#7195, @sratslla)
• Add IPv6 support for PacketCapture feature, including ICMPv6 handling and new CLI filter options. (#7385, @harshgdev)
• Enhance PacketCapture to support matching arbitrary source or destination. (#7215, @harshgdev)
• Enhance PacketCapture to also capture packets at the destination Pod, in addition to the source. (#7289, @harshgdev)
• Add confederation identifier to the antctl get bgppolicy command response. (#7275, @Atish-iaf)
• Add member ASNs to the antctl get bgppolicy command response. (#7425, @Atish-iaf)
• Add conntrack_poll_cycle_duration_seconds metric to track the time taken to poll conntrack and update the connection store. (#7460, @antoninbas)
• Add a network-policy-delay flag to antctl check installation to configure the maximum policy realization delay. (#7427, @antoninbas)
• Add resource requests for Windows container in Antrea deployment. (#7254, @XinShuYang)
• Accelerate Pod-to-Pod networking in noEncap and hybrid modes by leveraging nftables flowtable to reduce host network stack overhead. If some nftables dependencies are not met, it will fallback to the old behavior. The new behavior can also be disabled by explicitly setting hostNetworkAcceleration.enable to false. (#7324, @hongliangl)

Changed

• Upgrade Go to 1.25. (#7561, @antoninbas)
• Deprecate L7FlowExporter feature. (#7567, @luolanzone)
• Increase the minimum supported Kubernetes version to 1.23. (#7564, @antoninbas)
• Add uniqueMACForSubInterfaces option to Egress, enabling unique MAC addresses for Egress VLAN interfaces by default. (#7599, @luolanzone)
• Evolve the AntreaProxy framework, introducing a healthz server as an alternative to kube-proxy's, and adding feature PreferSameTrafficDistribution support. (#7371, @hongliangl)
• Promote feature gates TopologyAwareHints and ServiceTrafficDistribution to GA. (#7503, @hongliangl)
• Improve FlowExporter performance by using netlink zone filtering when dumping conntrack flows, reducing CPU and memory usage. (#7504, @antoninbas)
• Prevent WireGuard enablement when the traffic mode is not Encap. (#7464, @luolanzone)
• Add disclaimers to Azure-related documentation and code, as Antrea is no longer tested on Azure. (#7381, @edwardbadboy)
• Migrate dependency update configuration from Dependabot to Renovate. (#7354, @ghadeer-elsalhawy)
• Remove AntreaProxy and NodePortLocal feature gates from Helm charts and standard manifests. (#7505, @hongliangl)
• Add validation to ensure that AntreaIPAM is enabled with SecondaryNetwork. (#7556, @luolanzone)
• Periodically sync ip rules managed by Antrea to ensure consistency. (#7295, @hongliangl)
• Use a more robust way to extract the source Node IP from encapsulated IGMP messages for multicast when the traffic mode is Encap. (#7282, @hongliangl)
• Add validation to prevent Antrea Multicast from being enabled in networkPolicyOnly mode. (#7362, @wenyingd)
• Unify validation logic for IPPool and ExternalIPPool for more consistent checks and failures. (#7319, @wenqiq)

Fixed

• Fix overflow issue in network policy priority assigner. (#7496, @Dyanngg)
• Add missing policy UIDs for denied connections in FlowExporter. (#7388, @antoninbas)
• Upgrade libOpenflow to handle OpenFlow message overflow. (#7470, @wenyingd)
• Fix ServiceCIDR discovery in the Multi-cluster member controller for Kubernetes versions 1.33 and newer. (#7291, @luolanzone)
• Fix Agent crash issue which is caused by unexpected interface store initialization for FlexibleIPAM uplink internal port. (#7389, @gran-vmv)
• Avoid missing or invalid NetworkPolicy data in FlowExporter records by increasing flow ID reuse delay and filtering old connections. (#7468, @antoninbas)
• Refine Traceflow to correctly handle inter-Node Pod-to-Pod traffic across all traffic modes. (#7481, @hongliangl)
• Fix ACNP applied to NodePort failing to reject traffic when the traffic mode is noEncap or hybrid. (#7265, @hongliangl)
• Fix a type assertion panic in GetFlowTableID function, which affected the /ovsflows HTTP handler. (#7515, @antoninbas)
• Handle missing Pod IP and Pod IP changes in NodePortLocal to prevent incorrect datapath rules. (#7512, @antoninbas)
• Exclude Egress VLAN sub-interfaces (antrea-ext.VLAN) from NodePort addresses for consistency. (#7519, @antoninbas)
• Improve initK8sNodeLocalConfig in Agent initialization by separating Node and PodCIDR polling for better logging, and increase the timeout to 60s. (#7473, @antoninbas)
• Fix panic in Antrea monitor controller caused by unexpected delete event type. (#7568, @luolanzone)
• Clean up stale secondary IPs in IPPool when Node restarts with invalid OVSDB. (#7511, @luolanzone)
• Improve stale IP recycling in AntreaIPAM controller. (#7538 #7571, @luolanzone)
• Handle Traceflow external destination IP correctly in noEncap mode to fix timeout issue. (#7266, @gran-vmv)
• Add validation to ensure that IP range start is not greater than end in IPPool. (#7308, @wenqiq)
• Improve SR-IOV device assignment to ensure it's idempotent. (#7322, @luolanzone)
• Improve secondary interface reconciliation and fix a nil pointer exception when both SR-IOV and VLAN interfaces are enabled in Antrea SecondaryNetwork. (#7286, @jianjuns)
• Add missing Run calls for nodeStore / serviceStore to start the garbage collection routines and fix a memory leak for FlowAggregator. (#7343, @antoninbas)
• Remove trailing whitespace from default manifests to fix antrea-config ConfigMap formatting issues. (#7311, @antoninbas)

Antrea v2.4.3

Fixed

• Fix overflow issue in network policy priority assigner. (#7496, @Dyanngg)
• Unify validation logic for IPPool and ExternalIPPool for more consistent checks and failures. (#7319, @wenqiq)
• Handle Traceflow external destination IP correctly in NoEncap mode to fix timeout issue. (#7266, @gran-vmv)

Antrea v2.3.2

Fixed

• Fix overflow issue in network policy priority assigner. (#7496, @Dyanngg)
• Use a more robust way to extract the source Node IP from encapsulated IGMP messages for Multicast. (#7282, @hongliangl)
• Fix agent crash issue which is caused by unexpected interface store initialization for FlexibleIPAM uplink internal port. (#7389, @gran-vmv)
• Fix ACNP applied to NodePort failing to reject traffic in noEncap/hybrid mode. (#7265, @hongliangl)

Antrea v2.2.2

Fixed

• Fix ACNP applied to NodePort failing to reject traffic in noEncap/hybrid mode. (#7265, @hongliangl)
• Use a more robust way to extract the source Node IP from encapsulated IGMP messages for Multicast. (#7282, @hongliangl)
• Fix agent crash issue which is caused by unexpected interface store initialization for FlexibleIPAM uplink internal port. (#7389, @gran-vmv)
• Periodically sync permanent neighbors to ensure route correctness for Antrea host gateway interface. (#7238, @hongliangl)
• Enhance OVS commands for Antrea Windows to accelerate container recovery and improve robustness. (#7228, @XinShuYang)
• Sync affected groups in the Antrea Controller when a Pod goes into Terminated state, to ensure that the Pod is excluded from NetworkPolicy source and destination immediately. (#7217, @Dyanngg)
• Fix race condition when getting metrics via antctl for FlowAggregator. (#7230, @antoninbas)
• Fix rollback when configureContainerLinkVeth fails, to ensure subsequent retries can succeed. (#7210 #7213, @tnqn)
• Remove stale local members in the group cache for Multicast, which resolves an issue that the same receiver may fail to receive multicast packets after it rejoins the group. (#7154, @wenyingd)

Antrea v2.4.2

Fixed

• Fix agent crash issue which is caused by unexpected interface store initialization for FlexibleIPAM uplink internal port. (#7389, @gran-vmv)
• Ignore conntrack connections denied by policy for FlowExporter. (#7361, @antoninbas)
• Add missing policy UIDs for denied connections for FlowExporter. (#7388, @antoninbas)
• Fix ACNP applied to NodePort failing to reject traffic in noEncap/hybrid mode. (#7265, @hongliangl)
• Use a more robust way to extract the source Node IP from encapsulated IGMP messages for Multicast. (#7282, @hongliangl)
• Upgrade CNI plugins to v1.8.0 to fix CVEs. (#7397, @luolanzone)

Antrea v2.4.1

Added

• Add resource requests for Windows container in Antrea deployment. (#7254, @XinShuYang)

Fixed

• Add missing Run calls for nodeStore / serviceStore to start the garbage collection routines and fix a memory leak for FlowAggregator. (#7343, @antoninbas)
• Improve SR-IOV device assignment to ensure it's idempotent. (#7322, @luolanzone)
• Add validation to ensure IP range start is not greater than end in IPPool. (#7308, @wenqiq)
• Improve secondary interface reconciliation and fix a nil pointer exception when both SR-IOV and VLAN interfaces are enabled in Antrea SecondaryNetwork. (#7286, @jianjuns)
• Remove trailing whitespace from default manifests to fix antrea-config ConfigMap formatting issues. (#7311, @antoninbas)

Antrea v2.1.2

Fixed

• Periodically sync permanent neighbors to ensure route correctness for Antrea host gateway interface. (#7238, @hongliangl)
• Sync affected groups in the Antrea Controller when a Pod goes into Terminated state, to ensure that the Pod is excluded from NetworkPolicy source and destination immediately. (#7217, @Dyanngg)
• Fix rollback when configureContainerLinkVeth fails, to ensure subsequent retries can succeed. (#7210 #7213, @tnqn)
• Fix Agent crash when deleting the Secret storing BGP passwords. (#7042, @hongliangl)
• Filter out the hostNetwork Pods locally on Linux to fix K8s compatibility issue, since the spec.hostNetwork field selector for Pods is not supported before K8s v1.28. (#7012, @wenyingd)
• Add -ComputerName localhost explicitly for VMSwitch commands to avoid potential validation issues on Windows with Active Directory. (#6985, @XinShuYang)

Antrea v2.4.0

Added

• Add BGP confederation support in BGPPolicy. (#6927 #6905, @hongliangl)
• Support mTLS when exporting flows to an external flow collector for FlowAggregator. (#7212, @antoninbas)
• Add k8s.v1.cni.cncf.io/network-status annotation to make SecondaryNetwork Pod IP visible. (#7069, @wenqiq)
• Add protocolFilter config to FlowExporter to filter and export flows only with the specified protocols. (#7145, @petertran-avgo)
• Add antctl get fqdncache sub-command to fetch the DNS mapping entries for FQDN policies. (#6868, @Dhruv-J)
• Add TCP flags filter support for PacketCapture. (#7070, @AryanBakliwal)
• Add bidirectional packet capture support for PacketCapture. (#6882, @AryanBakliwal)
• Add ICMP messages filter support for PacketCapture. (#7164, @AryanBakliwal)
• Support antctl packetcapture sub-commands for PacketCapture. (#6884, @hangyan)
• Support enabling multicast snooping for SecondaryNetwork. (#7200, @tnqn)
• Allow defining static MAC addresses for SecondaryInterfaces for VLAN network. (#7137, @KMAnju-2021 @rajnkamr)

Changed

• Multiple enhancements for FlowAggregator are introduced:
  • Move aggregation logic from go-ipfix to Antrea for FlowAggregator. (#7227, @antoninbas)
  • Remove several instances of log spam in the Flow Aggregator, and improve handling of connection failures. (#7223, @antoninbas)
  • Set priorityClassName to system-node-critical by default for FlowAggregator. (#7124, @luolanzone)
  • Support custom ClusterIDs attached to exported flow records for FlowAggregator. (#7197, @petertran-avgo)
  • Clean up RBAC for FlowAggregator. (#7125, @antoninbas)
  • Use Protobuf message in FlowAggregator to represent flows. (#7253, @antoninbas)
  • Use Protobuf / gRPC between FlowExporter and FlowAggregator by default, and allow disabling IPFIX collector via aggregatorTransportProtocol. (#7264, @antoninbas)
  • Add ability to export K8s UIDs in the IPFIX exporter. (#7279, @antoninbas)
  • Add more configuration values to the flow-aggregator chart. (#7138, @antoninbas)
  • Push flow-aggregator image to ghcr.io registry. (#7036, @antoninbas)
• Log error when OVS meter drops packets, which helps to evaluate whether increasing the packetInRate configuration is needed. (#7242, @tnqn)
• Log PacketIn drops when dispatching to per-category queues to improve troubleshooting. (#7174, @tnqn)
• Increase the default packet-in rate limit to 5000. (#7243, @tnqn)
• Sync affected groups in the Antrea Controller when a Pod goes into Terminated state, to ensure that the Pod is excluded from NetworkPolicy source and destination immediately. (#7217, @Dyanngg)
• Decouple sending of ICMP probes & latency reporting for NodeLatencyMonitor, which can improve accuracy of measurements and reduce system load. (#7189, @g4rud4kun)
• Add ICMP Rule for NodeLatencyMonitor to make it work when the Node is configured with iptables default DROP policy. (#7011, @Dhruv-J)
• Handle Pod UID updates in PodStore to account for the corner case where old and new Pods from update handler are actually different objects. (#6964, @antoninbas)
• Support configuring file permissions for the Antrea CNI configuration file. (#7098, @luolanzone)
• Install iptables rules to allow WireGuard packets to ensure Antrea with WireGuard can work properly when the Node is configured with iptables default DROP policy. (#7030, @wenyingd)
• Make IPPool prefixLength and gateway immutable. (#7186, @wenqiq)
• Periodically sync permanent neighbors to ensure route correctness for Antrea host gateway interface. (#7238, @hongliangl)
• Rename a SR-IOV VF device, which is configured as a secondary Pod interface, back to the original name when the Pod is deleted. (#7144, @luolanzone)
• Support removing the whole k8s.v1.cni.cncf.io/networks annotation or resetting it to an empty value, which deletes the Pod's SecondaryNetwork interfaces. (#7119, @wenqiq)
• Document Antrea native secondary network support for SR-IOV interfaces. (#7076, @tnqn)

Fixed

• Enhance OVS commands for Antrea Windows to accelerate container recovery and improve robustness. (#7228, @XinShuYang)
• Configure routes via ip route add to avoid incorrect replacement of routes when the interface is managed by a network daemon. (#7134, @luolanzone)
• Restore secondary VLAN interface information and reconcile OVS ports after Agent restarts. (#6853, @KMAnju-2021)
• Persist container netns with OVS port external IDs. (#7199, @[@jianjuns)
• Restore the existing SR-IOV secondary interface information when Agent restarts, using the information stored in the Pod NetworkStatus annotation, which ensures correct IP release and VF device name restoration after Pod deletion. (#7240, @luolanzone)
• Fix invalid template ID in FlowAggregator for IPFIX exporter. (#7208, @antoninbas)
• Fix race condition when getting metrics via antctl for FlowAggregator. (#7230, @antoninbas)
• Fix invalid IPFIX UDP traffic fragmentation in the Flow Aggregator. (#7080, @antoninbas)
• Fix invalid Antrea IE registry ID in docs. (#7087, @ColonelBundy)
• Remove stale local members in the group cache for Multicast, which resolves an issue that the same receiver may fail to receive multicast packets after it rejoins the group. (#7154, @wenyingd)
• Fix Agent crash when deleting the Secret storing BGP passwords. (#7042, @hongliangl)
• Fix rollback when configureContainerLinkVeth fails, to ensure subsequent retries can succeed. (#7210 #7213, @tnqn)
• Upgrade otelhttp to v0.55.0 to fix WriteHeader logging flood. (#7196, @DeeBi9)

Antrea v2.3.1

Changed

• Update go-ipfix to v0.14.0. (#7080, @antoninbas)
• Document SecondaryNetwork support for SR-IOV. (#7076, @tnqn)
• Periodically sync permanent neighbors to ensure route correctness for Antrea host gateway interface. (#7238, @hongliangl)

Fixed

• Enhance OVS commands for Antrea Windows to accelerate container recovery after OVS processes restart and improve robustness. (#7228, @XinShuYang)
• Sync affected groups in the Antrea Controller when a Pod goes into Terminated state, to ensure that the required updates are sent immediately to Agents. (#7217, @Dyanngg)
• Fix race condition when getting metrics via antctl for FlowAggregator. (#7230, @antoninbas)
• Fix rollback when configureContainerLinkVeth fails, to ensure subsequent retries can succeed. (#7210 #7213, @tnqn)
• Remove stale local members in the group cache for Multicast, which resolves an issue that the same receiver may fail to receive multicast packets after it rejoins the group. (#7154, @wenyingd)
• Fix Agent crash when deleting the Secret storing BGP passwords. (#7042, @hongliangl)

Antrea v2.2.1

Changed

• Upgrade CNI plugins from v1.5.1 to v1.6.2. (#6796, @luolanzone)
• Update some golang.org/x dependencies to resolve CVEs. (#6930, @antoninbas)

Fixed

• Fix antrea-agent crash issue when deleting the Secret which is storing BGP passwords. (#7042, @hongliangl)
• Filter out the hostNetwork Pods locally on Linux to fix K8s compatibility issue, since the spec.hostNetwork field selector for Pods is not supported before K8s v1.28. (#7012, @wenyingd)
• Add -ComputerName localhost explicitly for VMSwitch commands to avoid potential validation issues on Windows with Active Directory. (#6985, @XinShuYang)
• Reconcile Pods with hostNetwork after Antrea Agent is restarted on Windows. (#6944, @wenyingd)
• Fix PacketCapture bpf filter issue to avoid receiving packets when the socket is created but the bpf filter is not applied yet. (#6821, @hangyan)
• Set the maximum packet size explicitly to fix an issue with reading PacketCapture pcapng files with tcpdump on macOS. (#6804, @hangyan)
• Remove stale OVS interfaces in the CNIServer reconciler if the original Pod interface is disconnected. (#6919, @wenyingd)
• Ensure that promote_secondaries is set on IPAssigner interfaces to avoid the automatic removal of all other IP addresses in the same subnet when the primary IP address is deleted. (#6898 #6900, @antoninbas)
• Ensure that OpenFlow rules for a Windows Pod are installed as long as the OpenFlow port is allocated, even if its state is incorrectly reported as "LINK_DOWN". (#6889, @wenyingd)
• Fix audit logging for default deny-all K8s NetworkPolicy rules. (#6855, @qiyueyao)
• Fix race condition when getting BGP routes in BGPController. (#6823, @Atish-iaf)