- Stop using
projects.registry.vmware.com
for user-facing images. (#6073, @antoninbas) - Persist TLS certificate and key of antrea-controller and periodically sync the CA cert to improve robustness. (#5955, @tnqn)
- Disable cgo for all Antrea binaries. (#5988, @antoninbas)
- Disable
libcapng
to make logrotate run as root in UBI images to fix an OVS crash issue. (#6052, @xliuxu) - Fix nil pointer dereference when ClusterGroup/Group is used in NetworkPolicy controller. (#6077, @tnqn)
- Fix race condition in agent Traceflow controller when a tag is associated again with a new Traceflow before the old Traceflow deletion event is processed. (#5954, @tnqn)
- Change the maximum flags from 7 to 255 to fix the wrong TCP flags validation issue in Traceflow CRD. (#6050, @gran-vmv)
- Update maximum number of buckets to 700 in OVS group add/insert_bucket message. (#5942, @hongliangl)
- Use 65000 MTU upper bound for interfaces in encap mode in case of large packets being dropped unexpectedly. (#5997, @antoninbas)
- Enable IPv4/IPv6 forwarding on demand automatically to eliminate the need for user intervention or dependencies on other components. (#5833, @tnqn)
- Store NetworkPolicy in filesystem as fallback data source to let antrea-agent fallback to use the files if it can't connect to antrea-controller on startup. (#5739, @tnqn)
- Support Local ExternalTrafficPolicy for Services with ExternalIPs when Antrea proxyAll mode is enabled. (#5795, @tnqn)
- Enable Pod network after realizing initial NetworkPolicies to avoid traffic from/to Pods bypassing NetworkPolicy when antrea-agent restarts. (#5777, @tnqn)
- Fix Clean-AntreaNetwork.ps1 invocation in Prepare-AntreaAgent.ps1 for containerized OVS on Windows. (#5859, @antoninbas)
- Add missing space to kubelet args in Prepare-Node.ps1 so that kubelet can start successfully on Windows. (#5858, @antoninbas)
- Update Windows OVS download link to remove the redundant certificate to fix OVS driver installation failure. (#5839, @XinShuYang)
- Add DHCP IP retries in PrepareHNSNetwork on Windows to fix the potential race condition issue where acquiring a DHCP IP address may fail after CreateHNSNetwork. (#5819, @XinShuYang)
- Fix
antctl trace-packet
command failure which is caused by arguments missing issue. (#5838, @luolanzone) - Fix incorrect MTU configurations for the WireGuard encryption mode and GRE tunnel mode. (#5880 #5926, @hjiajing @tnqn)
- Fix the CrashLookBackOff issue when using the UBI-based image. (#5723, @antoninbas)
- Skip enforcement of ingress NetworkPolicies rules for hairpinned Service traffic (Pod accessing itself via a Service). (#5687 #5705, @GraysonWu)
- Set net.ipv4.conf.antrea-gw0.arp_announce to 1 to fix an ARP request leak when a Node or hostNetwork Pod accesses a local Pod and AntreaIPAM is enabled. (#5657, @gran-vmv)
- Add rate-limit config to Egress to specify the rate limit of north-south egress traffic of this Egress. (#5425, @GraysonWu)
- Add
IPAllocated
andIPAssigned
conditions to Egress status to improve Egress visibility. (#5282, @AJPL88 @tnqn) - Add goroutine stack dump in
SupportBundle
for both Antrea Agent and Antrea Controller. (#5538, @aniketraj1947) - Add "X-Load-Balancing-Endpoint-Weight" header to AntreaProxy Service healthcheck. (#5299, @hongliangl)
- Add log rotation configuration in Antrea Agent config for audit logs. (#5337 #5366, @antoninbas @mengdie-song)
- Add GroupMembers API Pagination support to Antrea Go clientset. (#5533, @qiyueyao)
- Add Namespaced Group Membership API for Antrea Controller. (#5380, @qiyueyao)
- Support Pod secondary interfaces on VLAN network. (#5341 #5365 #5279, @jianjuns)
- Enable Windows OVS container to run on pristine host environment, without requiring some dependencies to be installed manually ahead of time. (#5440, @NamanAg30)
- Update
Install-WindowsCNI-Containerd.ps1
script to make it compatible with containerd 1.7. (#5528, @NamanAg30) - Add a new all-in-one manifest for the Multi-cluster leader cluster, and update the Multi-cluster user guide. (#5389 #5531, @luolanzone)
- Clean up auto-generated resources in leader and member clusters when a ClusterSet is deleted, and recreate resources when a member cluster rejoins the ClusterSet. (#5351 #5410, @luolanzone)
- Multiple APIs are promoted from beta to GA. The corresponding feature gates are removed from Antrea config files.
- Promote feature gate EndpointSlice to GA. (#5393, @hongliangl)
- Promote feature gate NodePortLocal to GA. (#5491, @hjiajing)
- Promote feature gate AntreaProxy to GA, and add an option
antreaProxy.enable
to allow users to disable this feature. (#5401, @hongliangl)
- Make antrea-controller not tolerate Node unreachable to speed up the failover process. (#5521, @tnqn)
- Improve
antctl get featuregates
output. (#5314, @cr7258) - Increase the rate limit setting of
PacketInMeter
and the size ofPacketInQueue
. (#5460, @GraysonWu) - Add
hostAliases
to Helm values for Flow Aggregator. (#5386, @yuntanghsu) - Decouple Audit logging from AntreaPolicy feature gate to enable logging for NetworkPolicy when AntreaPolicy is disabled. (#5352, @qiyueyao)
- Change Traceflow CRD validation to webhook validation. (#5230, @shi0rik0)
- Stop using
/bin/sh
and invoke the binary directly for OVS commands in Antrea Agent. (#5364, @antoninbas) - Install flows for nested Services in
EndpointDNAT
only when Antrea Multi-cluster is enabled. (#5411, @hongliangl) - Make rate-limiting of PacketIn messages configurable; the same rate-limit value applies to each feature that is dependent on PacketIn messages (e.g, Traceflow) but the limit is enforced independently for each feature. (#5450, @GraysonWu)
- Change the default flow's action to
drop
inARPSpoofGuardTable
to effectively prevent ARP spoofing. (#5378, @hongliangl) - Remove auto-generated suffix from ConfigMap names, and add config checksums as Deployment annotations in Windows manifests, to avoid stale ConfigMaps when updating Antrea while preserving automatic rolling of Pods. (#5545, @Atish-iaf)
- Add a ClusterSet deletion webhook for the leader cluster to reject ClusterSet deletion if there is any MemberClusterAnnounce. (#5475, @luolanzone)
- Update Go version to v1.21. (#5377, @antoninbas)
- Remove the dependency of the MulticastGroup API on the NetworkPolicyStats feature gate, to fix the empty list issue when users run
kubectl get multicastgroups
even when the Multicast is enabled. (#5367, @ceclinux) - Fix
antctl tf
CLI failure when the Traceflow is using an IPv6 address. (#5588, @Atish-iaf) - Fix a deadlock issue in NetworkPolicy Controller which causes a FQDN resolution failure. (#5566 #5583, @Dyanngg @tnqn)
- Fix NetworkPolicy span calculation to avoid out-dated data when multiple NetworkPolicies have the same selector. (#5554, @tnqn)
- Use the first matching address when getting Node address to find the correct transport interface. (#5529, @xliuxu)
- Fix rollback invocation after CmdAdd failure in CNI server and improve logging. (#5548, @antoninbas)
- Add error log when Antrea network's MTU exceeds Suricata's maximum supported value. (#5408, @hongliangl)
- Do not delete IPv6 link-local route in route reconciler to fix cross-Node Pod traffic or Pod-to-external traffic. (#5483, @wenyingd)
- Do not apply Egress to traffic destined for ServiceCIDRs to avoid performance issue and unexpected behaviors. (#5495, @tnqn)
- Unify TCP and UDP DNS interception flows to fix invalid flow matching for DNS responses. (#5392, @GraysonWu)
- Fix the burst setting of the
PacketInQueue
to reduce the DNS response delay when a Pod has any FQDN policy applied. (#5456, @tnqn) - Fix SSL library downloading failure in Install-OVS.ps1 on Windows. (#5510, @XinShuYang)
- Do not attempt to join Windows antrea-agents to the memberlist cluster to avoid misleading error logs. (#5434, @tnqn)
- Fix an issue that antctl proxy is not using the user specified port. (#5435, @tnqn)
- Enable IPv6 on OVS internal port if needed in bridging mode to fix agent crash issue when IPAM is enabled. (#5409, @antoninbas)
- Fix missing protocol in Service when processing ANP named ports to ensure rule can be enforced correctly in OVS. (#5370, @Dyanngg)
- Fix error log when agent fails to connect to K8s API. (#5353, @tnqn)
- Fix a bug that ClusterSet status is not updated in Antrea Multi-cluster. (#5338, @luolanzone)
- Fix an Antrea Controller crash issue in handling empty Pod labels for LabelIdentity when the config enableStretchedNetworkPolicy is enabled for Antrea Multi-cluster. (#5404 #5449, @Dyanngg)
- Always initialize
ovs_meter_packet_dropped_count
metrics to fix a bug that the metrics are not showing up if OVS Meter is not supported on the system. (#5413, @tnqn) - Skip starting modules which are not required by VM Agent to fix logs flood due to RBAC warning. (#5391, @mengdie-song)