agent

package
v1.13.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 12, 2024 License: Apache-2.0 Imports: 1 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AgentConfig

type AgentConfig struct {
	// featureGates is a map of feature names to bools that enable or disable experimental features.
	FeatureGates map[string]bool `yaml:"featureGates,omitempty"`

	CNISocket string `yaml:"cniSocket,omitempty"`
	// clientConnection specifies the kubeconfig file and client connection settings for the agent
	// to communicate with the apiserver.
	ClientConnection componentbaseconfig.ClientConnectionConfiguration `yaml:"clientConnection"`
	// AntreaClientConnection specifies the kubeconfig file and client connection settings for the
	// agent to communicate with the Antrea Controller apiserver.
	AntreaClientConnection componentbaseconfig.ClientConnectionConfiguration `yaml:"antreaClientConnection"`
	// Name of the OpenVSwitch bridge antrea-agent will create and use.
	// Make sure it doesn't conflict with your existing OpenVSwitch bridges.
	// Defaults to br-int.
	OVSBridge string `yaml:"ovsBridge,omitempty"`
	// Datapath type to use for the OpenVSwitch bridge created by Antrea. At the moment, the only supported
	// value is 'system', which corresponds to the kernel datapath.
	OVSDatapathType string `yaml:"ovsDatapathType,omitempty"`
	// Runtime data directory used by Open vSwitch.
	// Default value:
	// - On Linux platform: /var/run/openvswitch
	// - On Windows platform: C:\openvswitch\var\run\openvswitch
	OVSRunDir string `yaml:"ovsRunDir,omitempty"`
	// Name of the interface antrea-agent will create and use for host <--> pod communication.
	// Make sure it doesn't conflict with your existing interfaces.
	// Defaults to antrea-gw0.
	HostGateway string `yaml:"hostGateway,omitempty"`
	// Determines how traffic is encapsulated. It has the following options:
	// encap(default):    Inter-node Pod traffic is always encapsulated and Pod to external network
	//                    traffic is SNAT'd.
	// noEncap:           Inter-node Pod traffic is not encapsulated; Pod to external network traffic is
	//                    SNAT'd if noSNAT is not set to true. Underlying network must be capable of
	//                    supporting Pod traffic across IP subnets.
	// hybrid:            noEncap if source and destination Nodes are on the same subnet, otherwise encap.
	// networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod
	//                    IPAM and connectivity to the primary CNI.
	TrafficEncapMode string `yaml:"trafficEncapMode,omitempty"`
	// Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network.
	// This option is for the noEncap traffic mode only, and the default value is false. In the noEncap
	// mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to
	// the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never
	// performs SNAT and this option will be ignored; for other modes it must be set to false.
	NoSNAT bool `yaml:"noSNAT,omitempty"`
	// Tunnel protocols used for encapsulating traffic across Nodes. Supported values:
	// - geneve (default)
	// - vxlan
	// - gre
	// - stt
	TunnelType string `yaml:"tunnelType,omitempty"`
	// TunnelPort is the destination port for UDP and TCP based tunnel protocols (Geneve, VXLAN, and STT).
	// If zero, it will use the assigned IANA port for the protocol, i.e. 6081 for Geneve, 4789 for VXLAN,
	// and 7471 for STT.
	TunnelPort int32 `yaml:"tunnelPort,omitempty"`
	// TunnelCsum determines whether to compute UDP encapsulation header (Geneve or VXLAN) checksums on outgoing
	// packets. For Linux kernel before Mar 2021, UDP checksum must be present to trigger GRO on the receiver for better
	// performance of Geneve and VXLAN tunnels. The issue has been fixed by
	// https://github.com/torvalds/linux/commit/89e5c58fc1e2857ccdaae506fb8bc5fed57ee063, thus computing UDP checksum is
	// no longer necessary.
	// Default is false. It should only be set to true when you are using an unpatched Linux kernel and observing poor
	// transfer performance.
	TunnelCsum bool `yaml:"tunnelCsum,omitempty"`
	// Default MTU to use for the host gateway interface and the network interface of each Pod.
	// If omitted, antrea-agent will discover the MTU of the Node's primary interface and
	// also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
	DefaultMTU int `yaml:"defaultMTU,omitempty"`
	// Mount location of the /proc directory. The default is "/host", which is appropriate when
	// antrea-agent is run as part of the Antrea DaemonSet (and the host's /proc directory is mounted
	// as /host/proc in the antrea-agent container). When running antrea-agent as a process,
	// hostProcPathPrefix should be set to "/" in the YAML config.
	HostProcPathPrefix string `yaml:"hostProcPathPrefix,omitempty"`
	// ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
	// set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
	// AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
	// Default is 10.96.0.0/12
	ServiceCIDR string `yaml:"serviceCIDR,omitempty"`
	// ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
	// cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
	// --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
	// No default value for this field.
	ServiceCIDRv6 string `yaml:"serviceCIDRv6,omitempty"`
	// Deprecated. Use TrafficEncryptionMode instead.
	EnableIPSecTunnel bool `yaml:"enableIPSecTunnel,omitempty"`
	// Determines how tunnel traffic is encrypted.
	// It has the following options:
	// - none (default): Inter-node Pod traffic will not be encrypted.
	// - ipsec:          Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses
	//                   Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled,
	//                   the PSK value must be passed to Antrea Agent through an environment
	//                   variable: ANTREA_IPSEC_PSK.
	// - wireguard:      Enable WireGuard for tunnel traffic encryption.
	TrafficEncryptionMode string `yaml:"trafficEncryptionMode,omitempty"`
	// WireGuard related configurations.
	WireGuard WireGuardConfig `yaml:"wireGuard"`
	// Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected
	// to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are
	// allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the
	// underlay network.
	// This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only
	// IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`,
	// `trafficEncapMode` is `noEncap`, and `noSNAT` is true.
	EnableBridgingMode bool `yaml:"enableBridgingMode,omitempty"`
	// Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the
	// datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum.
	// It affects Pods running on Linux Nodes only.
	DisableTXChecksumOffload bool `yaml:"disableTXChecksumOffload,omitempty"`
	// APIPort is the port for the antrea-agent APIServer to serve on.
	// Defaults to 10350.
	APIPort int `yaml:"apiPort,omitempty"`
	// ClusterMembershipPort is the server port used by the antrea-agent to run a gossip-based cluster
	// membership protocol. Currently it's used only when the Egress feature is enabled.
	// Defaults to 10351.
	ClusterMembershipPort int `yaml:"clusterPort,omitempty"`
	// Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener
	// Defaults to true.
	EnablePrometheusMetrics *bool `yaml:"enablePrometheusMetrics,omitempty"`
	// Deprecated. Use the FlowExporter config options instead.
	FlowCollectorAddr string `yaml:"flowCollectorAddr,omitempty"`
	// Deprecated. Use the FlowExporter config options instead.
	FlowPollInterval string `yaml:"flowPollInterval,omitempty"`
	// Deprecated. Use the FlowExporter config options instead.
	ActiveFlowExportTimeout string `yaml:"activeFlowExportTimeout,omitempty"`
	// Deprecated. Use the FlowExporter config options instead.
	IdleFlowExportTimeout string `yaml:"idleFlowExportTimeout,omitempty"`
	// Deprecated. Use the NodePortLocal config options instead.
	NPLPortRange string `yaml:"nplPortRange,omitempty"`
	// NodePortLocal (NPL) configuration options.
	NodePortLocal NodePortLocalConfig `yaml:"nodePortLocal,omitempty"`
	// FlowExporter configuration options.
	FlowExporter FlowExporterConfig `yaml:"flowExporter,omitempty"`
	// Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
	// It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
	// Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
	KubeAPIServerOverride string `yaml:"kubeAPIServerOverride,omitempty"`
	// Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
	// Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
	// [fd00:10:96::a]:53).
	DNSServerOverride string `yaml:"dnsServerOverride,omitempty"`
	// Cipher suites to use.
	TLSCipherSuites string `yaml:"tlsCipherSuites,omitempty"`
	// TLS min version.
	TLSMinVersion string `yaml:"tlsMinVersion,omitempty"`
	// The name of the interface on Node which is used for tunneling or routing the traffic across Nodes.
	// If there are multiple IP addresses configured on the interface, the first one is used. The IP
	// address used for tunneling or routing traffic to remote Nodes is decided in the following order of
	// preference (from highest to lowest):
	// 1. TransportInterface
	// 2. TransportInterfaceCIDRs
	// 3. The Node IP
	TransportInterface string `yaml:"transportInterface,omitempty"`
	// The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across
	// Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The
	// IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of
	// preference (from highest to lowest):
	// 1. TransportInterface
	// 2. TransportInterfaceCIDRs
	// 3. The Node IP
	TransportInterfaceCIDRs []string `yaml:"transportInterfaceCIDRs,omitempty"`
	// The names of the interfaces on Nodes that are used to forward multicast traffic.
	// Defaults to transport interface if not set.
	// Deprecated: use Multicast.MulticastInterfaces instead.
	MulticastInterfaces []string `yaml:"multicastInterfaces,omitempty"`
	// Multicast configuration options.
	Multicast MulticastConfig `yaml:"multicast,omitempty"`
	// AntreaProxy contains AntreaProxy related configuration options.
	AntreaProxy AntreaProxyConfig `yaml:"antreaProxy,omitempty"`
	// Egress related configurations.
	Egress EgressConfig `yaml:"egress"`
	// IPsec related configurations.
	IPsec IPsecConfig `yaml:"ipsec"`
	// Multicluster configuration options.
	Multicluster MulticlusterConfig `yaml:"multicluster,omitempty"`
	// NodeType is type of the Node where Antrea Agent is running.
	// Defaults to "k8sNode". Valid values include "k8sNode", and "externalNode".
	NodeType string `yaml:"nodeType,omitempty"`
	// ExternalNode related configurations.
	ExternalNode ExternalNodeConfig `yaml:"externalNode,omitempty"`
	// Antrea's native secondary network configuration.
	SecondaryNetwork SecondaryNetworkConfig `yaml:"secondaryNetwork,omitempty"`
}

type AntreaProxyConfig

type AntreaProxyConfig struct {
	// ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic,
	// regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy
	// feature to be enabled.
	ProxyAll bool `yaml:"proxyAll,omitempty"`
	// A string array of values which specifies the host IPv4/IPv6 addresses for NodePorts. Values may be valid IP blocks.
	// (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses.
	NodePortAddresses []string `yaml:"nodePortAddresses,omitempty"`
	// An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these
	// Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name
	// with Namespace (e.g. kube-system/kube-dns)
	SkipServices []string `yaml:"skipServices,omitempty"`
	// When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the
	// External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional
	// capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the
	// external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy.
	// Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and
	// kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
	// Defaults to true.
	ProxyLoadBalancerIPs *bool `yaml:"proxyLoadBalancerIPs,omitempty"`
	// The value of service.kubernetes.io/service-proxy-name label for AntreaProxy to match. If it is set, then
	// AntreaProxy only handles the Service objects matching this label. The default value is empty string, which
	// means that AntreaProxy will manage all Service objects without the mentioned label.
	ServiceProxyName string `yaml:"serviceProxyName,omitempty"`
	// Determines how external traffic is processed when it's load balanced across Nodes by default.
	// It has the following options:
	// - nat (default): External traffic is SNAT'd when it's load balanced across Nodes to ensure symmetric path.
	// - dsr:           External traffic is never SNAT'd. Backend Pods running on Nodes that are not the ingress Node
	//                  can reply to clients directly, bypassing the ingress Node.
	// A Service's load balancer mode can be overridden by annotating it with `service.antrea.io/load-balancer-mode`.
	DefaultLoadBalancerMode string `yaml:"defaultLoadBalancerMode,omitempty"`
}

type EgressConfig

type EgressConfig struct {
	ExceptCIDRs []string `yaml:"exceptCIDRs,omitempty"`
	// The maximum number of Egress IPs that can be assigned to a Node. It's useful when the Node network restricts
	// the number of secondary IPs a Node can have, e.g. EKS. It must not be greater than 255.
	// Defaults to 255.
	MaxEgressIPsPerNode int `yaml:"maxEgressIPsPerNode,omitempty"`
}

type ExternalNodeConfig added in v1.8.0

type ExternalNodeConfig struct {
	// The expected Namespace in which the ExternalNode should be created for a VM or baremetal server Node.
	// The default value is "default".
	// It is used only when NodeType is externalNode.
	ExternalNodeNamespace string `yaml:"externalNodeNamespace,omitempty"`
	// The policy bypass rules define traffic that should bypass NetworkPolicy rules.
	// Each rule contains the following four attributes:
	// direction (ingress|egress), protocol(tcp/udp/icmp/ip), remote CIDR, dst port (ICMP doesn't require),
	// It is used only when NodeType is externalNode.
	PolicyBypassRules []PolicyBypassRule `yaml:"policyBypassRules,omitempty"`
}

type FlowExporterConfig added in v1.13.0

type FlowExporterConfig struct {
	// Enable FlowExporter, a feature used to export polled conntrack connections as
	// IPFIX flow records from each agent to a configured collector. To enable this
	// feature, you need to set "enable" to true, and ensure that the FlowExporter
	// feature gate is also enabled.
	Enable bool `yaml:"enable,omitempty"`
	// Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
	// HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
	// using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
	// wrapped with []. When the collector is running in-cluster as a Service, set
	// <HOST> to <Service namespace>/<Service name>. For example,
	// "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea
	// Flow Aggregator Service.
	// If PORT is empty, we default to 4739, the standard IPFIX port.
	// If no PROTO is given, we consider "tcp" as default. We support "tcp" and
	// "udp" L4 transport protocols.
	// Defaults to "flow-aggregator/flow-aggregator:4739:tcp".
	FlowCollectorAddr string `yaml:"flowCollectorAddr,omitempty"`
	// Provide flow poll interval in format "0s". This determines how often flow
	// exporter dumps connections in conntrack module. Flow poll interval should
	// be greater than or equal to 1s(one second).
	// Defaults to "5s". Valid time units are "ns", "us" (or "µs"), "ms", "s",
	// "m", "h".
	FlowPollInterval string `yaml:"flowPollInterval,omitempty"`
	// Provide the active flow export timeout, which is the timeout after which
	// a flow record is sent to the collector for active flows. Thus, for flows
	// with a continuous stream of packets, a flow record will be exported to the
	// collector once the elapsed time since the last export event is equal to the
	// value of this timeout.
	// Defaults to "30s". Valid time units are "ns", "us" (or "µs"), "ms", "s",
	// "m", "h".
	ActiveFlowExportTimeout string `yaml:"activeFlowExportTimeout,omitempty"`
	// Provide the idle flow export timeout, which is the timeout after which a
	// flow record is sent to the collector for idle flows. A flow is considered
	// idle if no packet matching this flow has been observed since the last export
	// event.
	// Defaults to "15s". Valid time units are "ns", "us" (or "µs"), "ms", "s",
	// "m", "h".
	IdleFlowExportTimeout string `yaml:"idleFlowExportTimeout,omitempty"`
}

type IPsecConfig added in v1.7.0

type IPsecConfig struct {
	// The authentication mode of IPsec tunnel. It has the following options:
	// - psk (default): Use pre-shared key (PSK) for IKE authentication.
	// - cert:          Use CA-signed certificates for IKE authentication.
	AuthenticationMode string `yaml:"authenticationMode,omitempty"`
}

type MulticastConfig added in v1.7.0

type MulticastConfig struct {
	// To enable Multicast, you need to set "enable" to true, and ensure that the
	// Multicast feature gate is also enabled (which is the default).
	Enable bool `yaml:"enable,omitempty"`
	// The names of the interfaces on Nodes that are used to forward multicast traffic.
	// Defaults to transport interface if not set.
	MulticastInterfaces []string `yaml:"multicastInterfaces,omitempty"`
	// The interval for antrea-agent to send IGMP queries to Pods.
	// Defaults to 125 seconds.
	IGMPQueryInterval string `yaml:"igmpQueryInterval"`
	// The versions of IGMP queries antrea-agent sends to Pods.
	// Defaults to [1, 2, 3].
	IGMPQueryVersions []int `yaml:"igmpQueryVersions"`
}

type MulticlusterConfig added in v1.7.0

type MulticlusterConfig struct {
	// Deprecated and replaced by "enableGateway". Keep the field in MulticlusterConfig to be
	// compatible with earlier version (<= v1.10) Antrea deployment manifests.
	Enable bool `yaml:"enable,omitempty"`
	// Enable Multi-cluster Gateway.
	EnableGateway bool `yaml:"enableGateway,omitempty"`
	// The Namespace where Antrea Multi-cluster Controller is running.
	// The default is antrea-agent's Namespace.
	Namespace string `yaml:"namespace,omitempty"`
	// Enable Multi-cluster NetworkPolicy which allows Antrea-native policy ingress rules to select peers
	// from all clusters in a ClusterSet.
	EnableStretchedNetworkPolicy bool `yaml:"enableStretchedNetworkPolicy,omitempty"`
	// Enable Multi-cluster Pod to Pod connectivity which allows one Pod access to another Pod in other member
	// clusters directly. This feature also requires Pod CIDRs to be provided in the Multi-cluster Controller
	// configuration.
	EnablePodToPodConnectivity bool `yaml:"enablePodToPodConnectivity,omitempty"`
	// Antrea Multi-cluster WireGuard tunnel configuration.
	WireGuard WireGuardConfig `yaml:"wireGuard,omitempty"`
	// Determines how cross-cluster traffic is encrypted.
	// It has the following options:
	// - none (default): Cross-cluster traffic will not be encrypted.
	// - wireGuard:      Enable WireGuard for tunnel traffic encryption.
	TrafficEncryptionMode string `yaml:"trafficEncryptionMode,omitempty"`
}

type NodePortLocalConfig

type NodePortLocalConfig struct {
	// Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the
	// host. To enable this feature, you need to set "enable" to true, and ensure that the
	// NodePortLocal feature gate is also enabled (which is the default).
	Enable bool `yaml:"enable,omitempty"`
	// Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled,
	// a port from that range will be assigned whenever a Pod's container defines a specific
	// port to be exposed (each container can define a list of ports as
	// pod.spec.containers[].ports), and all Node traffic directed to that port will be
	// forwarded to the Pod.
	PortRange string `yaml:"portRange,omitempty"`
}

type PolicyBypassRule added in v1.8.0

type PolicyBypassRule struct {
	// The direction value can be ingress or egress.
	Direction string `yaml:"direction,omitempty"`
	// The protocol which traffic must match. Supported values are TCP, UDP, ICMP and IP.
	Protocol string `yaml:"protocol,omitempty"`
	// CIDR marks the destination CIDR for Egress and source CIDR for Ingress.
	CIDR string `json:"cidr,omitempty"`
	// The destination port of the given protocol.
	Port int `yaml:"port,omitempty"`
}

type SecondaryNetworkConfig added in v1.10.0

type SecondaryNetworkConfig struct {
	// Secondary network specific OVS configuration.
	OVS SecondaryNetworkOVSConfig `yaml:"ovs,omitempty"`
	// TunnelType to be used for node to node transport, which is part of the same virtual network.
	TunnelType string `yaml:"tunnelType,omitempty"`
}

type SecondaryNetworkOVSConfig added in v1.10.0

type SecondaryNetworkOVSConfig struct {
	// Enable Antrea's native secondary network OVS configuration.
	Enable bool `yaml:"enable,omitempty"`
	// OVS integration bridge name.
	OVSIntegrationBridgeName string `yaml:"ovsIntegrationBridgeName,omitempty"`
	// OVS transport bridge name.
	OVSTransportBridgeName string `yaml:"ovsTransportBridgeName,omitempty"`
	// OVS Datapath type to use for the OpenVSwitch bridge created by Antrea.
	OVSDatapathType string `yaml:"ovsDatapathType,omitempty"`
	// OVS patch port which connects the integration and transport bridge.
	OVSPatchPort string `yaml:"ovsPatchPort,omitempty"`
}

type WireGuardConfig

type WireGuardConfig struct {
	// The port for the WireGuard to receive traffic. Defaults to 51820.
	Port int `yaml:"port,omitempty"`
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL