
0%
Antrea Deployment YAML
apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com spec: group: clusterinformation.antrea.tanzu.vmware.com names: kind: AntreaAgentInfo plural: antreaagentinfos shortNames: - laai singular: antreaagentinfo scope: Cluster versions: - name: v1beta1 schema: openAPIV3Schema: type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: antreaagentinfos.crd.antrea.io spec: group: crd.antrea.io names: kind: AntreaAgentInfo plural: antreaagentinfos shortNames: - aai singular: antreaagentinfo scope: Cluster versions: - name: v1beta1 schema: openAPIV3Schema: type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com spec: group: clusterinformation.antrea.tanzu.vmware.com names: kind: AntreaControllerInfo plural: antreacontrollerinfos shortNames: - laci singular: antreacontrollerinfo scope: Cluster versions: - name: v1beta1 schema: openAPIV3Schema: type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: antreacontrollerinfos.crd.antrea.io spec: group: crd.antrea.io names: kind: AntreaControllerInfo plural: antreacontrollerinfos shortNames: - aci singular: antreacontrollerinfo scope: Cluster versions: - name: v1beta1 schema: openAPIV3Schema: type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: clustergroups.core.antrea.tanzu.vmware.com spec: group: core.antrea.tanzu.vmware.com names: kind: ClusterGroup plural: clustergroups shortNames: - lcg singular: group scope: Cluster versions: - name: v1alpha2 schema: openAPIV3Schema: properties: spec: properties: childGroups: items: type: string type: array externalEntitySelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object ipBlock: properties: cidr: format: cidr type: string type: object ipBlocks: items: properties: cidr: format: cidr type: string type: object type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object serviceReference: properties: name: type: string namespace: type: string type: object type: object status: properties: conditions: items: properties: lastTransitionTime: type: string status: type: string type: type: string type: object type: array type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: clustergroups.crd.antrea.io spec: conversion: strategy: Webhook webhook: clientConfig: service: name: antrea namespace: kube-system path: /convert/clustergroup conversionReviewVersions: - v1 - v1beta1 group: crd.antrea.io names: kind: ClusterGroup plural: clustergroups shortNames: - cg singular: group scope: Cluster versions: - name: v1alpha2 schema: openAPIV3Schema: properties: spec: properties: childGroups: items: type: string type: array externalEntitySelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object ipBlock: properties: cidr: format: cidr type: string type: object ipBlocks: items: properties: cidr: format: cidr type: string type: object type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object serviceReference: properties: name: type: string namespace: type: string type: object type: object status: properties: conditions: items: properties: lastTransitionTime: type: string status: type: string type: type: string type: object type: array type: object type: object served: true storage: false - name: v1alpha3 schema: openAPIV3Schema: properties: spec: properties: childGroups: items: type: string type: array externalEntitySelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object ipBlocks: items: properties: cidr: format: cidr type: string type: object type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object serviceReference: properties: name: type: string namespace: type: string type: object type: object status: properties: conditions: items: properties: lastTransitionTime: type: string status: type: string type: type: string type: object type: array type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: clusternetworkpolicies.crd.antrea.io spec: group: crd.antrea.io names: kind: ClusterNetworkPolicy plural: clusternetworkpolicies shortNames: - acnp singular: clusternetworkpolicy scope: Cluster versions: - additionalPrinterColumns: - description: The Tier to which this ClusterNetworkPolicy belongs to. jsonPath: .spec.tier name: Tier type: string - description: The Priority of this ClusterNetworkPolicy relative to other policies. format: float jsonPath: .spec.priority name: Priority type: number - description: The total number of Nodes that should realize the NetworkPolicy. format: int32 jsonPath: .status.desiredNodesRealized name: Desired Nodes type: number - description: The number of Nodes that have realized the NetworkPolicy. format: int32 jsonPath: .status.currentNodesRealized name: Current Nodes type: number - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: properties: spec: properties: appliedTo: items: properties: group: type: string namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array egress: items: properties: action: enum: - Allow - Drop - Reject type: string appliedTo: items: properties: group: type: string namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array enableLogging: type: boolean name: type: string ports: items: properties: endPort: type: integer port: x-kubernetes-int-or-string: true protocol: type: string type: object type: array to: items: properties: fqdn: type: string group: type: string ipBlock: properties: cidr: format: cidr type: string type: object namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object namespaces: properties: match: type: string type: object podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array required: - action type: object type: array ingress: items: properties: action: enum: - Allow - Drop - Reject type: string appliedTo: items: properties: group: type: string namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array enableLogging: type: boolean from: items: properties: group: type: string ipBlock: properties: cidr: format: cidr type: string type: object namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object namespaces: properties: match: type: string type: object podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array name: type: string ports: items: properties: endPort: type: integer port: x-kubernetes-int-or-string: true protocol: type: string type: object type: array required: - action type: object type: array priority: format: float maximum: 10000 minimum: 1 type: number tier: type: string required: - priority type: object status: properties: currentNodesRealized: type: integer desiredNodesRealized: type: integer observedGeneration: type: integer phase: type: string type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: clusternetworkpolicies.security.antrea.tanzu.vmware.com spec: group: security.antrea.tanzu.vmware.com names: kind: ClusterNetworkPolicy plural: clusternetworkpolicies shortNames: - lacnp singular: clusternetworkpolicy scope: Cluster versions: - additionalPrinterColumns: - description: The Tier to which this ClusterNetworkPolicy belongs to. jsonPath: .spec.tier name: Tier type: string - description: The Priority of this ClusterNetworkPolicy relative to other policies. format: float jsonPath: .spec.priority name: Priority type: number - description: The total number of Nodes that should realize the NetworkPolicy. format: int32 jsonPath: .status.desiredNodesRealized name: Desired Nodes type: number - description: The number of Nodes that have realized the NetworkPolicy. format: int32 jsonPath: .status.currentNodesRealized name: Current Nodes type: number - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: properties: spec: properties: appliedTo: items: properties: group: type: string namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array egress: items: properties: action: enum: - Allow - Drop - Reject type: string appliedTo: items: properties: group: type: string namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array enableLogging: type: boolean name: type: string ports: items: properties: endPort: type: integer port: x-kubernetes-int-or-string: true protocol: type: string type: object type: array to: items: properties: group: type: string ipBlock: properties: cidr: format: cidr type: string type: object namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object namespaces: properties: match: type: string type: object podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array required: - action type: object type: array ingress: items: properties: action: enum: - Allow - Drop - Reject type: string appliedTo: items: properties: group: type: string namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array enableLogging: type: boolean from: items: properties: group: type: string ipBlock: properties: cidr: format: cidr type: string type: object namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object namespaces: properties: match: type: string type: object podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array name: type: string ports: items: properties: endPort: type: integer port: x-kubernetes-int-or-string: true protocol: type: string type: object type: array required: - action type: object type: array priority: format: float maximum: 10000 minimum: 1 type: number tier: type: string required: - priority type: object status: properties: currentNodesRealized: type: integer desiredNodesRealized: type: integer observedGeneration: type: integer phase: type: string type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: egresses.crd.antrea.io spec: group: crd.antrea.io names: kind: Egress plural: egresses shortNames: - eg singular: egress scope: Cluster versions: - additionalPrinterColumns: - description: Specifies the SNAT IP address for the selected workloads. jsonPath: .spec.egressIP name: EgressIP type: string - jsonPath: .metadata.creationTimestamp name: Age type: date - description: The Owner Node of egress IP jsonPath: .status.egressNode name: Node type: string name: v1alpha2 schema: openAPIV3Schema: properties: spec: anyOf: - required: - egressIP - required: - externalIPPool properties: appliedTo: properties: namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object egressIP: oneOf: - format: ipv4 - format: ipv6 type: string externalIPPool: type: string required: - appliedTo type: object status: properties: egressNode: type: string type: object required: - spec type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: externalentities.core.antrea.tanzu.vmware.com spec: group: core.antrea.tanzu.vmware.com names: kind: ExternalEntity plural: externalentities shortNames: - lee singular: externalentity scope: Namespaced versions: - name: v1alpha2 schema: openAPIV3Schema: properties: spec: properties: endpoints: items: properties: ip: oneOf: - format: ipv4 - format: ipv6 type: string name: type: string type: object type: array externalNode: type: string ports: items: properties: name: type: string port: x-kubernetes-int-or-string: true protocol: type: string type: object type: array type: object type: object served: true storage: true - name: v1alpha1 schema: openAPIV3Schema: type: object served: false storage: false --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: externalentities.crd.antrea.io spec: group: crd.antrea.io names: kind: ExternalEntity plural: externalentities shortNames: - ee singular: externalentity scope: Namespaced versions: - name: v1alpha2 schema: openAPIV3Schema: properties: spec: properties: endpoints: items: properties: ip: oneOf: - format: ipv4 - format: ipv6 type: string name: type: string type: object type: array externalNode: type: string ports: items: properties: name: type: string port: x-kubernetes-int-or-string: true protocol: type: string type: object type: array type: object type: object served: true storage: true - name: v1alpha1 schema: openAPIV3Schema: type: object served: false storage: false --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: externalippools.crd.antrea.io spec: group: crd.antrea.io names: kind: ExternalIPPool plural: externalippools shortNames: - eip singular: externalippool scope: Cluster versions: - name: v1alpha2 schema: openAPIV3Schema: properties: spec: properties: ipRanges: items: oneOf: - required: - cidr - required: - start - end properties: cidr: format: cidr type: string end: oneOf: - format: ipv4 - format: ipv6 type: string start: oneOf: - format: ipv4 - format: ipv6 type: string type: object type: array nodeSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object required: - ipRanges - nodeSelector type: object required: - spec type: object served: true storage: true --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: networkpolicies.crd.antrea.io spec: group: crd.antrea.io names: kind: NetworkPolicy plural: networkpolicies shortNames: - anp singular: networkpolicy scope: Namespaced versions: - additionalPrinterColumns: - description: The Tier to which this Antrea NetworkPolicy belongs to. jsonPath: .spec.tier name: Tier type: string - description: The Priority of this Antrea NetworkPolicy relative to other policies. format: float jsonPath: .spec.priority name: Priority type: number - description: The total number of Nodes that should realize the NetworkPolicy. format: int32 jsonPath: .status.desiredNodesRealized name: Desired Nodes type: number - description: The number of Nodes that have realized the NetworkPolicy. format: int32 jsonPath: .status.currentNodesRealized name: Current Nodes type: number - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: properties: spec: properties: appliedTo: items: properties: podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array egress: items: properties: action: enum: - Allow - Drop - Reject type: string appliedTo: items: properties: podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array enableLogging: type: boolean name: type: string ports: items: properties: endPort: type: integer port: x-kubernetes-int-or-string: true protocol: type: string type: object type: array to: items: properties: externalEntitySelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object fqdn: type: string ipBlock: properties: cidr: format: cidr type: string type: object namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array required: - action type: object type: array ingress: items: properties: action: enum: - Allow - Drop - Reject type: string appliedTo: items: properties: podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array enableLogging: type: boolean from: items: properties: externalEntitySelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object ipBlock: properties: cidr: format: cidr type: string type: object namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array name: type: string ports: items: properties: endPort: type: integer port: x-kubernetes-int-or-string: true protocol: type: string type: object type: array required: - action type: object type: array priority: format: float maximum: 10000 minimum: 1 type: number tier: type: string required: - priority type: object status: properties: currentNodesRealized: type: integer desiredNodesRealized: type: integer observedGeneration: type: integer phase: type: string type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: networkpolicies.security.antrea.tanzu.vmware.com spec: group: security.antrea.tanzu.vmware.com names: kind: NetworkPolicy plural: networkpolicies shortNames: - lanp singular: networkpolicy scope: Namespaced versions: - additionalPrinterColumns: - description: The Tier to which this Antrea NetworkPolicy belongs to. jsonPath: .spec.tier name: Tier type: string - description: The Priority of this Antrea NetworkPolicy relative to other policies. format: float jsonPath: .spec.priority name: Priority type: number - description: The total number of Nodes that should realize the NetworkPolicy. format: int32 jsonPath: .status.desiredNodesRealized name: Desired Nodes type: number - description: The number of Nodes that have realized the NetworkPolicy. format: int32 jsonPath: .status.currentNodesRealized name: Current Nodes type: number - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: properties: spec: properties: appliedTo: items: properties: podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array egress: items: properties: action: enum: - Allow - Drop - Reject type: string appliedTo: items: properties: podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array enableLogging: type: boolean name: type: string ports: items: properties: endPort: type: integer port: x-kubernetes-int-or-string: true protocol: type: string type: object type: array to: items: properties: externalEntitySelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object ipBlock: properties: cidr: format: cidr type: string type: object namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array required: - action type: object type: array ingress: items: properties: action: enum: - Allow - Drop - Reject type: string appliedTo: items: properties: podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array enableLogging: type: boolean from: items: properties: externalEntitySelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object ipBlock: properties: cidr: format: cidr type: string type: object namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object podSelector: properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array type: object type: array matchLabels: x-kubernetes-preserve-unknown-fields: true type: object type: object type: array name: type: string ports: items: properties: endPort: type: integer port: x-kubernetes-int-or-string: true protocol: type: string type: object type: array required: - action type: object type: array priority: format: float maximum: 10000 minimum: 1 type: number tier: type: string required: - priority type: object status: properties: currentNodesRealized: type: integer desiredNodesRealized: type: integer observedGeneration: type: integer phase: type: string type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: tierentitlementbindings.crd.antrea.tanzu.vmware.com spec: group: crd.antrea.tanzu.vmware.com names: kind: TierEntitlementBinding plural: tierentitlementbindings shortNames: - teb singular: tierentitlementbinding scope: Cluster versions: - name: v1alpha1 schema: openAPIV3Schema: properties: spec: properties: subjects: items: properties: apiGroup: enum: - rbac.authorization.k8s.io type: string kind: enum: - User - Group - ServiceAccount type: string name: type: string namespace: type: string type: object type: array tierEntitlement: type: string required: - tierEntitlement - subjects type: object type: object served: true storage: true --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: tierentitlements.crd.antrea.tanzu.vmware.com spec: group: crd.antrea.tanzu.vmware.com names: kind: TierEntitlement plural: tierentitlements shortNames: - te singular: tierentitlement scope: Cluster versions: - name: v1alpha1 schema: openAPIV3Schema: properties: spec: properties: permission: enum: - edit - read type: string tiers: items: type: string type: array required: - permission - tiers type: object type: object served: true storage: true --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: tiers.crd.antrea.io spec: group: crd.antrea.io names: kind: Tier plural: tiers shortNames: - tr singular: tier scope: Cluster versions: - additionalPrinterColumns: - description: The Priority of this Tier relative to other Tiers. jsonPath: .spec.priority name: Priority type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: properties: spec: properties: description: type: string priority: maximum: 255 minimum: 0 type: integer required: - priority type: object type: object served: true storage: true --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: tiers.security.antrea.tanzu.vmware.com spec: group: security.antrea.tanzu.vmware.com names: kind: Tier plural: tiers shortNames: - ltr singular: tier scope: Cluster versions: - additionalPrinterColumns: - description: The Priority of this Tier relative to other Tiers. jsonPath: .spec.priority name: Priority type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: properties: spec: properties: description: type: string priority: maximum: 255 minimum: 0 type: integer required: - priority type: object type: object served: true storage: true --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: traceflows.crd.antrea.io spec: group: crd.antrea.io names: kind: Traceflow plural: traceflows shortNames: - tf singular: traceflow scope: Cluster versions: - additionalPrinterColumns: - description: The phase of the Traceflow. jsonPath: .status.phase name: Phase type: string - description: The name of the source Pod. jsonPath: .spec.source.pod name: Source-Pod priority: 10 type: string - description: The name of the destination Pod. jsonPath: .spec.destination.pod name: Destination-Pod priority: 10 type: string - description: The IP address of the destination. jsonPath: .spec.destination.ip name: Destination-IP priority: 10 type: string - description: Trace live traffic. jsonPath: .spec.liveTraffic name: Live-Traffic priority: 10 type: boolean - description: Capture only the dropped packet. jsonPath: .spec.droppedOnly name: Dropped-Only priority: 10 type: boolean - description: Timeout in seconds. jsonPath: .spec.timeout name: Timeout priority: 10 type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: properties: spec: properties: destination: properties: ip: oneOf: - format: ipv4 - format: ipv6 type: string namespace: type: string pod: type: string service: type: string type: object droppedOnly: type: boolean liveTraffic: type: boolean packet: properties: ipHeader: properties: flags: type: integer protocol: type: integer srcIP: oneOf: - format: ipv4 - format: ipv6 type: string ttl: type: integer type: object ipv6Header: properties: hopLimit: type: integer nextHeader: type: integer srcIP: format: ipv6 type: string type: object transportHeader: properties: icmp: properties: id: type: integer sequence: type: integer type: object tcp: properties: dstPort: type: integer flags: type: integer srcPort: type: integer type: object udp: properties: dstPort: type: integer srcPort: type: integer type: object type: object type: object source: properties: ip: oneOf: - format: ipv4 - format: ipv6 type: string namespace: type: string pod: type: string type: object timeout: type: integer type: object status: properties: capturedPacket: properties: dstIP: type: string ipHeader: properties: flags: type: integer protocol: type: integer ttl: type: integer type: object ipv6Header: properties: hopLimit: type: integer nextHeader: type: integer type: object length: type: integer srcIP: type: string transportHeader: properties: icmp: properties: id: type: integer sequence: type: integer type: object tcp: properties: dstPort: type: integer flags: type: integer srcPort: type: integer type: object udp: properties: dstPort: type: integer srcPort: type: integer type: object type: object type: object dataplaneTag: type: integer phase: type: string reason: type: string results: items: properties: node: type: string observations: items: properties: action: type: string component: type: string componentInfo: type: string dstMAC: type: string networkPolicy: type: string pod: type: string translatedDstIP: type: string translatedSrcIP: type: string ttl: type: integer tunnelDstIP: type: string type: object type: array role: type: string timestamp: type: integer type: object type: array type: object required: - spec type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: antrea name: traceflows.ops.antrea.tanzu.vmware.com spec: group: ops.antrea.tanzu.vmware.com names: kind: Traceflow plural: traceflows shortNames: - ltf singular: traceflow scope: Cluster versions: - additionalPrinterColumns: - description: The phase of the Traceflow. jsonPath: .status.phase name: Phase type: string - description: The name of the source Pod. jsonPath: .spec.source.pod name: Source-Pod priority: 10 type: string - description: The name of the destination Pod. jsonPath: .spec.destination.pod name: Destination-Pod priority: 10 type: string - description: The IP address of the destination. jsonPath: .spec.destination.ip name: Destination-IP priority: 10 type: string - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: properties: spec: properties: destination: properties: ip: oneOf: - format: ipv4 - format: ipv6 type: string namespace: type: string pod: type: string service: type: string type: object packet: properties: ipHeader: properties: flags: type: integer protocol: type: integer srcIP: oneOf: - format: ipv4 - format: ipv6 type: string ttl: type: integer type: object ipv6Header: properties: hopLimit: type: integer nextHeader: type: integer srcIP: format: ipv6 type: string type: object transportHeader: properties: icmp: properties: id: type: integer sequence: type: integer type: object tcp: properties: dstPort: type: integer flags: type: integer srcPort: type: integer type: object udp: properties: dstPort: type: integer srcPort: type: integer type: object type: object type: object source: properties: namespace: type: string pod: type: string required: - pod - namespace type: object required: - source type: object status: properties: dataplaneTag: type: integer phase: type: string reason: type: string results: items: properties: node: type: string observations: items: properties: action: type: string component: type: string componentInfo: type: string dstMAC: type: string networkPolicy: type: string pod: type: string translatedDstIP: type: string translatedSrcIP: type: string ttl: type: integer tunnelDstIP: type: string type: object type: array role: type: string timestamp: type: integer type: object type: array type: object required: - spec type: object served: true storage: true subresources: status: {} --- apiVersion: v1 kind: ServiceAccount metadata: labels: app: antrea name: antctl namespace: kube-system --- apiVersion: v1 kind: ServiceAccount metadata: labels: app: antrea name: antrea-agent namespace: kube-system --- apiVersion: v1 kind: ServiceAccount metadata: labels: app: antrea name: antrea-controller namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: antrea rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" name: aggregate-antrea-clustergroups-edit rules: - apiGroups: - core.antrea.tanzu.vmware.com resources: - clustergroups verbs: - get - list - watch - create - update - patch - delete - apiGroups: - crd.antrea.io resources: - clustergroups verbs: - get - list - watch - create - update - patch - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: antrea rbac.authorization.k8s.io/aggregate-to-view: "true" name: aggregate-antrea-clustergroups-view rules: - apiGroups: - core.antrea.tanzu.vmware.com resources: - clustergroups verbs: - get - list - watch - apiGroups: - crd.antrea.io resources: - clustergroups verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: antrea rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" name: aggregate-antrea-policies-edit rules: - apiGroups: - security.antrea.tanzu.vmware.com resources: - clusternetworkpolicies - networkpolicies verbs: - get - list - watch - create - update - patch - delete - apiGroups: - crd.antrea.io resources: - clusternetworkpolicies - networkpolicies verbs: - get - list - watch - create - update - patch - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: antrea rbac.authorization.k8s.io/aggregate-to-view: "true" name: aggregate-antrea-policies-view rules: - apiGroups: - security.antrea.tanzu.vmware.com resources: - clusternetworkpolicies - networkpolicies verbs: - get - list - watch - apiGroups: - crd.antrea.io resources: - clusternetworkpolicies - networkpolicies verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: antrea rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" name: aggregate-traceflows-edit rules: - apiGroups: - ops.antrea.tanzu.vmware.com resources: - traceflows verbs: - get - list - watch - create - update - patch - delete - apiGroups: - crd.antrea.io resources: - traceflows verbs: - get - list - watch - create - update - patch - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: antrea rbac.authorization.k8s.io/aggregate-to-view: "true" name: aggregate-traceflows-view rules: - apiGroups: - ops.antrea.tanzu.vmware.com resources: - traceflows verbs: - get - list - watch - apiGroups: - crd.antrea.io resources: - traceflows verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: antrea name: antctl rules: - apiGroups: - controlplane.antrea.tanzu.vmware.com - controlplane.antrea.io resources: - networkpolicies - appliedtogroups - addressgroups verbs: - get - list - apiGroups: - stats.antrea.tanzu.vmware.com - stats.antrea.io resources: - networkpolicystats - antreaclusternetworkpolicystats - antreanetworkpolicystats verbs: - get - list - apiGroups: - system.antrea.tanzu.vmware.com - system.antrea.io resources: - controllerinfos - agentinfos verbs: - get - apiGroups: - system.antrea.tanzu.vmware.com - system.antrea.io resources: - supportbundles verbs: - get - post - apiGroups: - system.antrea.tanzu.vmware.com - system.antrea.io resources: - supportbundles/download verbs: - get - nonResourceURLs: - /agentinfo - /addressgroups - /appliedtogroups - /loglevel - /networkpolicies - /ovsflows - /ovstracing - /podinterfaces - /featuregates verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: antrea name: antrea-agent rules: - apiGroups: - "" resources: - nodes verbs: - get - watch - list - patch - apiGroups: - "" resources: - pods verbs: - get - watch - list - patch - apiGroups: - "" resources: - endpoints - services verbs: - get - watch - list - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - get - watch - list - apiGroups: - clusterinformation.antrea.tanzu.vmware.com - crd.antrea.io resources: - antreaagentinfos verbs: - get - create - update - delete - apiGroups: - controlplane.antrea.tanzu.vmware.com - controlplane.antrea.io resources: - networkpolicies - appliedtogroups - addressgroups verbs: - get - watch - list - apiGroups: - controlplane.antrea.io resources: - egressgroups verbs: - get - watch - list - apiGroups: - controlplane.antrea.tanzu.vmware.com - controlplane.antrea.io resources: - nodestatssummaries verbs: - create - apiGroups: - controlplane.antrea.tanzu.vmware.com - controlplane.antrea.io resources: - networkpolicies/status verbs: - create - get - apiGroups: - authentication.k8s.io resources: - tokenreviews verbs: - create - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create - apiGroups: - "" resourceNames: - extension-apiserver-authentication resources: - configmaps verbs: - get - list - watch - apiGroups: - "" resourceNames: - antrea-ca resources: - configmaps verbs: - get - watch - list - apiGroups: - ops.antrea.tanzu.vmware.com - crd.antrea.io resources: - traceflows - traceflows/status verbs: - get - watch - list - update - patch - create - delete - apiGroups: - crd.antrea.io resources: - egresses verbs: - get - watch - list - apiGroups: - crd.antrea.io resources: - egresses/status verbs: - update - apiGroups: - crd.antrea.io resources: - externalippools verbs: - get - watch - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: antrea name: antrea-cluster-identity-reader rules: - apiGroups: - "" resourceNames: - antrea-cluster-identity resources: - configmaps verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: antrea name: antrea-controller rules: - apiGroups: - "" resources: - pods - namespaces - services - configmaps verbs: - get - watch - list - apiGroups: - "" resources: - nodes verbs: - get - watch - list - patch - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - watch - list - apiGroups: - authentication.k8s.io resources: - tokenreviews verbs: - create - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - update - apiGroups: - "" resourceNames: - extension-apiserver-authentication resources: - configmaps verbs: - get - list - watch - apiGroups: - "" resourceNames: - antrea-ca - antrea-cluster-identity resources: - configmaps verbs: - get - update - apiGroups: - "" resources: - configmaps verbs: - create - apiGroups: - "" resourceNames: - antrea-config-c48mcgtk29 resources: - configmaps verbs: - get - apiGroups: - apiregistration.k8s.io resourceNames: - v1alpha1.stats.antrea.tanzu.vmware.com - v1beta1.system.antrea.tanzu.vmware.com - v1beta2.controlplane.antrea.tanzu.vmware.com - v1beta1.controlplane.antrea.tanzu.vmware.com - v1alpha1.stats.antrea.io - v1beta1.system.antrea.io - v1beta2.controlplane.antrea.io resources: - apiservices verbs: - get - update - apiGroups: - apiregistration.k8s.io resourceNames: - v1beta1.networking.antrea.tanzu.vmware.com resources: - apiservices verbs: - delete - apiGroups: - admissionregistration.k8s.io resourceNames: - crdmutator.antrea.tanzu.vmware.com - crdvalidator.antrea.tanzu.vmware.com - labelsmutator.antrea.io - crdmutator.antrea.io - crdvalidator.antrea.io resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - get - update - apiGroups: - crd.antrea.io resources: - antreacontrollerinfos verbs: - get - create - update - delete - apiGroups: - crd.antrea.io resources: - antreaagentinfos verbs: - list - delete - apiGroups: - crd.antrea.io resources: - clusternetworkpolicies - networkpolicies verbs: - get - watch - list - update - patch - create - delete - apiGroups: - crd.antrea.io resources: - clusternetworkpolicies/status - networkpolicies/status verbs: - update - apiGroups: - crd.antrea.io resources: - tiers verbs: - get - watch - list - update - patch - create - delete - apiGroups: - crd.antrea.io resources: - traceflows - traceflows/status verbs: - get - watch - list - update - patch - create - delete - apiGroups: - crd.antrea.io resources: - externalentities - clustergroups verbs: - get - watch - list - update - patch - create - delete - apiGroups: - crd.antrea.io resources: - clustergroups/status verbs: - update - apiGroups: - crd.antrea.io resources: - egresses verbs: - get - watch - list - update - patch - apiGroups: - crd.antrea.io resources: - externalippools verbs: - get - watch - list - apiGroups: - clusterinformation.antrea.tanzu.vmware.com resources: - antreacontrollerinfos verbs: - get - create - update - delete - apiGroups: - clusterinformation.antrea.tanzu.vmware.com resources: - antreaagentinfos verbs: - list - delete - apiGroups: - security.antrea.tanzu.vmware.com resources: - clusternetworkpolicies - networkpolicies verbs: - get - watch - list - update - patch - create - delete - apiGroups: - security.antrea.tanzu.vmware.com resources: - clusternetworkpolicies/status - networkpolicies/status verbs: - update - apiGroups: - security.antrea.tanzu.vmware.com resources: - tiers verbs: - get - watch - list - update - patch - create - delete - apiGroups: - crd.antrea.tanzu.vmware.com resources: - tierentitlements - tierentitlementbindings verbs: - get - watch - list - apiGroups: - ops.antrea.tanzu.vmware.com resources: - traceflows - traceflows/status verbs: - get - watch - list - update - patch - create - delete - apiGroups: - core.antrea.tanzu.vmware.com resources: - externalentities - clustergroups verbs: - get - watch - list - update - patch - create - delete - apiGroups: - core.antrea.tanzu.vmware.com resources: - clustergroups/status verbs: - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app: antrea name: antctl namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: antctl subjects: - kind: ServiceAccount name: antctl namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app: antrea name: antrea-agent roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: antrea-agent subjects: - kind: ServiceAccount name: antrea-agent namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app: antrea name: antrea-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: antrea-controller subjects: - kind: ServiceAccount name: antrea-controller namespace: kube-system --- apiVersion: v1 data: antrea-agent-tweaker.conf: |- # Enable disableUdpTunnelOffload will disable udp tunnel offloading feature on kubernetes node's default interface. # By default, no actions will be taken. disableUdpTunnelOffload: false kind: ConfigMap metadata: labels: app: antrea name: antrea-agent-tweaker-g56hc6fh8t namespace: kube-system --- apiVersion: v1 data: antrea-agent.conf: | # FeatureGates is a map of feature names to bools that enable or disable experimental features. featureGates: # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on # Service traffic. # AntreaProxy: true # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, # this flag will not take effect. # EndpointSlice: false # Enable traceflow which provides packet tracing feature to diagnose network issue. # Traceflow: true # Enable NodePortLocal feature to make the pods reachable externally through NodePort # NodePortLocal: false # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy # feature that supports priorities, rule actions and externalEntities in the future. # AntreaPolicy: true # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each # agent to a configured collector. # FlowExporter: false # Enable collecting and exposing NetworkPolicy statistics. # NetworkPolicyStats: true # Enable controlling SNAT IPs of Pod egress traffic. # Egress: false # Name of the OpenVSwitch bridge antrea-agent will create and use. # Make sure it doesn't conflict with your existing OpenVSwitch bridges. #ovsBridge: br-int # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: # - system # - netdev # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run # OVS in userspace mode. Userspace mode requires the tun device driver to be available. #ovsDatapathType: system # Name of the interface antrea-agent will create and use for host <--> pod communication. # Make sure it doesn't conflict with your existing interfaces. #hostGateway: antrea-gw0 # Determines how traffic is encapsulated. It has the following options: # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network # traffic is SNAT'd. # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is # SNAT'd if noSNAT is not set to true. Underlying network must be capable of # supporting Pod traffic across IP subnets. # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod # IPAM and connectivity to the primary CNI. # #trafficEncapMode: encap # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never # performs SNAT and this option will be ignored; for other modes it must be set to false. #noSNAT: false # Tunnel protocols used for encapsulating traffic across Nodes. Supported values: # - geneve (default) # - vxlan # - gre # - stt #tunnelType: geneve # Default MTU to use for the host gateway interface and the network interface of each Pod. # If omitted, antrea-agent will discover the MTU of the Node's primary interface and # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). #defaultMTU: 0 # Whether or not to enable IPsec encryption of tunnel traffic. #enableIPSecTunnel: false # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. #serviceCIDR: 10.96.0.0/12 # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. # No default value for this field. #serviceCIDRv6: # The port for the antrea-agent APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-agent` container must be set to the same value. #apiPort: 10350 # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. #enablePrometheusMetrics: true # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>]. # HOST can either be the DNS name or the IP of the Flow Collector. For example, # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. # However, IPv6 address should be wrapped with []. # If PORT is empty, we default to 4739, the standard IPFIX port. # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and # "udp" protocols. "tls" is used for securing communication between flow exporter and # flow aggregator. #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" # Provide flow poll interval as a duration string. This determines how often the # flow exporter dumps connections from the conntrack module. Flow poll interval # should be greater than or equal to 1s (one second). # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". #flowPollInterval: "5s" # Provide the active flow export timeout, which is the timeout after which a flow # record is sent to the collector for active flows. Thus, for flows with a continuous # stream of packets, a flow record will be exported to the collector once the elapsed # time since the last export event is equal to the value of this timeout. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". #activeFlowExportTimeout: "30s" # Provide the idle flow export timeout, which is the timeout after which a flow # record is sent to the collector for idle flows. A flow is considered idle if no # packet matching this flow has been observed since the last export event. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". #idleFlowExportTimeout: "15s" # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), # and all Node traffic directed to that port will be forwarded to the Pod. #nplPortRange: 61000-62000 # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. #kubeAPIServerOverride: "" # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. tlsCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384 # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. #tlsMinVersion: antrea-cni.conflist: | { "cniVersion":"0.3.0", "name": "antrea", "plugins": [ { "type": "antrea", "ipam": { "type": "host-local" } }, { "type": "portmap", "capabilities": {"portMappings": true} }, { "type": "bandwidth", "capabilities": {"bandwidth": true} } ] } antrea-controller.conf: | # FeatureGates is a map of feature names to bools that enable or disable experimental features. featureGates: # Enable traceflow which provides packet tracing feature to diagnose network issue. # Traceflow: true # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy # feature that supports priorities, rule actions and externalEntities in the future. # AntreaPolicy: true # Enable collecting and exposing NetworkPolicy statistics. # NetworkPolicyStats: true # Enable controlling SNAT IPs of Pod egress traffic. # Egress: false # Run Kubernetes NodeIPAMController with Antrea. # NodeIPAM: false # The port for the antrea-controller APIServer to serve on. # Note that if it's set to another value, the `containerPort` of the `api` port of the # `antrea-controller` container must be set to the same value. #apiPort: 10349 # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. #enablePrometheusMetrics: true # Indicates whether to use auto-generated self-signed TLS certificate. # If false, A Secret named "antrea-controller-tls" must be provided with the following keys: # ca.crt: <CA certificate> # tls.crt: <TLS certificate> # tls.key: <TLS private key> # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the # antrea-controller container. #selfSignedCert: true # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. tlsCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384 # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. #tlsMinVersion: # If Antrea is upgraded from version <= v0.13 and legacy CRDs are used, this option should be # enabled, otherwise the CRDs created with the legacy API groups will not take any effect and # work as expected. When the mirroring is enabled, if a legacy CRD is created with legacy API # groups, mirroring-controller will create a new CRD with the Spec and Labels from the legacy # CRD. Afterwards, the modification of Spec and Label in legacy CRD will be synchronized to new # CRD automatically. In addition, the modification of Status in new CRD will also be synchronized # to legacy CRD automatically. If a legacy CRD is deleted, the corresponding new CRD will be deleted. # Note that: to decouple a new CRD from the corresponding legacy CRD, the legacy CRD should be # annotated with "crd.antrea.io/stop-mirror". Afterwards, updates to the legacy CRDs will no # longer be reflected in the new CRD, and all CRUD operations should be done through the new # API groups. After adding the annotation, legacy CRDs can be deleted safely without impacting # new CRDs. #legacyCRDMirroring: true # Enable usage reporting (telemetry) to VMware. #enableUsageReporting: false nodeIPAM: # Enable the integrated Node IPAM controller within the Antrea controller. # enableNodeIPAM: false # CIDR Ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. # The CIDRs could be either IPv4 or IPv6. Value ignored when enableNodeIPAM is false. # clusterCIDRs: [] # CIDR Ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. # Value ignored when enableNodeIPAM is false. # serviceCIDR: # serviceCIDRv6: # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. # nodeCIDRMaskSizeIPv4: 24 # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. # nodeCIDRMaskSizeIPv6: 64 kind: ConfigMap metadata: annotations: {} labels: app: antrea name: antrea-config-c48mcgtk29 namespace: kube-system --- apiVersion: v1 kind: Service metadata: labels: app: antrea name: antrea namespace: kube-system spec: ports: - port: 443 protocol: TCP targetPort: api selector: app: antrea component: antrea-controller --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: antrea component: antrea-controller name: antrea-controller namespace: kube-system spec: replicas: 1 selector: matchLabels: app: antrea component: antrea-controller strategy: type: Recreate template: metadata: labels: app: antrea component: antrea-controller spec: containers: - args: - --config - /etc/antrea/antrea-controller.conf - --logtostderr=false - --log_dir=/var/log/antrea - --alsologtostderr - --log_file_max_size=100 - --log_file_max_num=4 - --v=0 command: - antrea-controller env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: SERVICEACCOUNT_NAME valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: ANTREA_CONFIG_MAP_NAME value: antrea-config-c48mcgtk29 image: projects.registry.vmware.com/antreainterworking/antrea-advanced-debian:v1.2.4_vmware.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 httpGet: host: localhost path: /livez port: api scheme: HTTPS periodSeconds: 10 timeoutSeconds: 5 name: antrea-controller ports: - containerPort: 10349 name: api protocol: TCP readinessProbe: failureThreshold: 5 httpGet: host: localhost path: /readyz port: api scheme: HTTPS initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 resources: requests: cpu: 200m volumeMounts: - mountPath: /etc/antrea/antrea-controller.conf name: antrea-config readOnly: true subPath: antrea-controller.conf - mountPath: /var/run/antrea/antrea-controller-tls name: antrea-controller-tls - mountPath: /var/log/antrea name: host-var-log-antrea hostNetwork: true nodeSelector: kubernetes.io/os: linux priorityClassName: system-cluster-critical serviceAccountName: antrea-controller tolerations: - key: CriticalAddonsOnly operator: Exists - effect: NoSchedule key: node-role.kubernetes.io/master volumes: - configMap: name: antrea-config-c48mcgtk29 name: antrea-config - name: antrea-controller-tls secret: defaultMode: 256 optional: true secretName: antrea-controller-tls - hostPath: path: /var/log/antrea type: DirectoryOrCreate name: host-var-log-antrea --- apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: labels: app: antrea name: v1alpha1.stats.antrea.io spec: group: stats.antrea.io groupPriorityMinimum: 100 service: name: antrea namespace: kube-system version: v1alpha1 versionPriority: 100 --- apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: labels: app: antrea name: v1alpha1.stats.antrea.tanzu.vmware.com spec: group: stats.antrea.tanzu.vmware.com groupPriorityMinimum: 100 service: name: antrea namespace: kube-system version: v1alpha1 versionPriority: 100 --- apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: labels: app: antrea name: v1beta1.controlplane.antrea.tanzu.vmware.com spec: group: controlplane.antrea.tanzu.vmware.com groupPriorityMinimum: 100 service: name: antrea namespace: kube-system version: v1beta1 versionPriority: 100 --- apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: labels: app: antrea name: v1beta1.system.antrea.io spec: group: system.antrea.io groupPriorityMinimum: 100 service: name: antrea namespace: kube-system version: v1beta1 versionPriority: 100 --- apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: labels: app: antrea name: v1beta1.system.antrea.tanzu.vmware.com spec: group: system.antrea.tanzu.vmware.com groupPriorityMinimum: 100 service: name: antrea namespace: kube-system version: v1beta1 versionPriority: 100 --- apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: labels: app: antrea name: v1beta2.controlplane.antrea.io spec: group: controlplane.antrea.io groupPriorityMinimum: 100 service: name: antrea namespace: kube-system version: v1beta2 versionPriority: 100 --- apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: labels: app: antrea name: v1beta2.controlplane.antrea.tanzu.vmware.com spec: group: controlplane.antrea.tanzu.vmware.com groupPriorityMinimum: 100 service: name: antrea namespace: kube-system version: v1beta2 versionPriority: 100 --- apiVersion: apps/v1 kind: DaemonSet metadata: labels: app: antrea component: antrea-agent name: antrea-agent namespace: kube-system spec: selector: matchLabels: app: antrea component: antrea-agent template: metadata: annotations: kubectl.kubernetes.io/default-container: antrea-agent labels: app: antrea component: antrea-agent spec: containers: - args: - --config - /etc/antrea/antrea-agent.conf - --logtostderr=false - --log_dir=/var/log/antrea - --alsologtostderr - --log_file_max_size=100 - --log_file_max_num=4 - --v=0 command: - antrea-agent env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName image: projects.registry.vmware.com/antreainterworking/antrea-advanced-debian:v1.2.4_vmware.1 imagePullPolicy: IfNotPresent livenessProbe: exec: command: - /bin/sh - -c - container_liveness_probe agent failureThreshold: 5 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 name: antrea-agent ports: - containerPort: 10350 name: api protocol: TCP readinessProbe: failureThreshold: 8 httpGet: host: localhost path: /readyz port: api scheme: HTTPS initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 resources: requests: cpu: 200m securityContext: privileged: true volumeMounts: - mountPath: /etc/antrea/antrea-agent.conf name: antrea-config readOnly: true subPath: antrea-agent.conf - mountPath: /var/run/antrea name: host-var-run-antrea - mountPath: /var/run/openvswitch name: host-var-run-antrea subPath: openvswitch - mountPath: /var/lib/cni name: host-var-run-antrea subPath: cni - mountPath: /var/log/antrea name: host-var-log-antrea - mountPath: /host/proc name: host-proc readOnly: true - mountPath: /host/var/run/netns mountPropagation: HostToContainer name: host-var-run-netns readOnly: true - mountPath: /run/xtables.lock name: xtables-lock - args: - --log_file_max_size=100 - --log_file_max_num=4 command: - start_ovs image: projects.registry.vmware.com/antreainterworking/antrea-advanced-debian:v1.2.4_vmware.1 imagePullPolicy: IfNotPresent livenessProbe: exec: command: - /bin/sh - -c - timeout 10 container_liveness_probe ovs failureThreshold: 5 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 10 name: antrea-ovs resources: requests: cpu: 200m securityContext: capabilities: add: - SYS_NICE - NET_ADMIN - SYS_ADMIN - IPC_LOCK volumeMounts: - mountPath: /var/run/openvswitch name: host-var-run-antrea subPath: openvswitch - mountPath: /var/log/openvswitch name: host-var-log-antrea subPath: openvswitch dnsPolicy: ClusterFirstWithHostNet hostNetwork: true initContainers: - command: - install_cni image: projects.registry.vmware.com/antreainterworking/antrea-advanced-debian:v1.2.4_vmware.1 imagePullPolicy: IfNotPresent name: install-cni resources: requests: cpu: 100m securityContext: capabilities: add: - SYS_MODULE volumeMounts: - mountPath: /etc/antrea/antrea-cni.conflist name: antrea-config readOnly: true subPath: antrea-cni.conflist - mountPath: /host/etc/cni/net.d name: host-cni-conf - mountPath: /host/opt/cni/bin name: host-cni-bin - mountPath: /lib/modules name: host-lib-modules readOnly: true - mountPath: /var/run/antrea name: host-var-run-antrea - args: - --config - /etc/antrea/antrea-agent-tweaker.conf command: - antrea-agent-tweaker env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName image: projects.registry.vmware.com/antreainterworking/antrea-advanced-debian:v1.2.4_vmware.1 name: antrea-agent-tweaker resources: requests: cpu: 100m securityContext: capabilities: add: - NET_ADMIN volumeMounts: - mountPath: /etc/antrea/antrea-agent-tweaker.conf name: antrea-agent-tweaker-config subPath: antrea-agent-tweaker.conf nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical serviceAccountName: antrea-agent tolerations: - key: CriticalAddonsOnly operator: Exists - effect: NoSchedule operator: Exists - effect: NoExecute operator: Exists volumes: - configMap: name: antrea-config-c48mcgtk29 name: antrea-config - configMap: name: antrea-agent-tweaker-g56hc6fh8t name: antrea-agent-tweaker-config - hostPath: path: /etc/cni/net.d name: host-cni-conf - hostPath: path: /opt/cni/bin name: host-cni-bin - hostPath: path: /proc name: host-proc - hostPath: path: /var/run/netns name: host-var-run-netns - hostPath: path: /var/run/antrea type: DirectoryOrCreate name: host-var-run-antrea - hostPath: path: /var/log/antrea type: DirectoryOrCreate name: host-var-log-antrea - hostPath: path: /lib/modules name: host-lib-modules - hostPath: path: /run/xtables.lock type: FileOrCreate name: xtables-lock updateStrategy: type: RollingUpdate --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: labels: app: antrea name: crdmutator.antrea.io webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: antrea namespace: kube-system path: /mutate/acnp name: acnpmutator.antrea.io rules: - apiGroups: - crd.antrea.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - clusternetworkpolicies scope: Cluster sideEffects: None timeoutSeconds: 5 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: antrea namespace: kube-system path: /mutate/anp name: anpmutator.antrea.io rules: - apiGroups: - crd.antrea.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - networkpolicies scope: Namespaced sideEffects: None timeoutSeconds: 5 --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: labels: app: antrea name: crdmutator.antrea.tanzu.vmware.com webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: antrea namespace: kube-system path: /mutate/acnp name: acnpmutator.antrea.tanzu.vmware.com rules: - apiGroups: - security.antrea.tanzu.vmware.com apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - clusternetworkpolicies scope: Cluster sideEffects: None timeoutSeconds: 5 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: antrea namespace: kube-system path: /mutate/anp name: anpmutator.antrea.tanzu.vmware.com rules: - apiGroups: - security.antrea.tanzu.vmware.com apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - networkpolicies scope: Namespaced sideEffects: None timeoutSeconds: 5 --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: labels: app: antrea name: crdvalidator.antrea.io webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: antrea namespace: kube-system path: /validate/tier name: tiervalidator.antrea.io rules: - apiGroups: - crd.antrea.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE - DELETE resources: - tiers scope: Cluster sideEffects: None timeoutSeconds: 5 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: antrea namespace: kube-system path: /validate/acnp name: acnpvalidator.antrea.io rules: - apiGroups: - crd.antrea.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE - DELETE resources: - clusternetworkpolicies scope: Cluster sideEffects: None timeoutSeconds: 5 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: antrea namespace: kube-system path: /validate/anp name: anpvalidator.antrea.io rules: - apiGroups: - crd.antrea.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE - DELETE resources: - networkpolicies scope: Namespaced sideEffects: None timeoutSeconds: 5 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: antrea namespace: kube-system path: /validate/clustergroup name: clustergroupvalidator.antrea.io rules: - apiGroups: - crd.antrea.io apiVersions: - v1alpha3 - v1alpha2 operations: - CREATE - UPDATE resources: - clustergroups scope: Cluster sideEffects: None timeoutSeconds: 5 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: antrea namespace: kube-system path: /validate/externalippool name: externalippoolvalidator.antrea.io rules: - apiGroups: - crd.antrea.io apiVersions: - v1alpha2 operations: - UPDATE resources: - externalippools scope: Cluster sideEffects: None timeoutSeconds: 5 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: antrea namespace: kube-system path: /validate/egress name: egressvalidator.antrea.io rules: - apiGroups: - crd.antrea.io apiVersions: - v1alpha2 operations: - CREATE - UPDATE resources: - egresses scope: Cluster sideEffects: None timeoutSeconds: 5 --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: labels: app: antrea name: crdvalidator.antrea.tanzu.vmware.com webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: antrea namespace: kube-system path: /validate/tier name: tiervalidator.antrea.tanzu.vmware.com rules: - apiGroups: - security.antrea.tanzu.vmware.com apiVersions: - v1alpha1 operations: - CREATE - UPDATE - DELETE resources: - tiers scope: Cluster sideEffects: None timeoutSeconds: 5 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: antrea namespace: kube-system path: /validate/acnp name: acnpvalidator.antrea.tanzu.vmware.com rules: - apiGroups: - security.antrea.tanzu.vmware.com apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - clusternetworkpolicies scope: Cluster sideEffects: None timeoutSeconds: 5 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: antrea namespace: kube-system path: /validate/anp name: anpvalidator.antrea.tanzu.vmware.com rules: - apiGroups: - security.antrea.tanzu.vmware.com apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - networkpolicies scope: Namespaced sideEffects: None timeoutSeconds: 5 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: antrea namespace: kube-system path: /validate/clustergroup name: clustergroupvalidator.antrea.tanzu.vmware.com rules: - apiGroups: - core.antrea.tanzu.vmware.com apiVersions: - v1alpha2 operations: - CREATE - UPDATE - DELETE resources: - clustergroups scope: Cluster sideEffects: None timeoutSeconds: 5