0%
Antrea Deployment YAML
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com
spec:
group: clusterinformation.antrea.tanzu.vmware.com
names:
kind: AntreaAgentInfo
plural: antreaagentinfos
shortNames:
- laai
singular: antreaagentinfo
scope: Cluster
versions:
- name: v1beta1
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: antreaagentinfos.crd.antrea.io
spec:
group: crd.antrea.io
names:
kind: AntreaAgentInfo
plural: antreaagentinfos
shortNames:
- aai
singular: antreaagentinfo
scope: Cluster
versions:
- name: v1beta1
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com
spec:
group: clusterinformation.antrea.tanzu.vmware.com
names:
kind: AntreaControllerInfo
plural: antreacontrollerinfos
shortNames:
- laci
singular: antreacontrollerinfo
scope: Cluster
versions:
- name: v1beta1
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: antreacontrollerinfos.crd.antrea.io
spec:
group: crd.antrea.io
names:
kind: AntreaControllerInfo
plural: antreacontrollerinfos
shortNames:
- aci
singular: antreacontrollerinfo
scope: Cluster
versions:
- name: v1beta1
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: clustergroups.core.antrea.tanzu.vmware.com
spec:
group: core.antrea.tanzu.vmware.com
names:
kind: ClusterGroup
plural: clustergroups
shortNames:
- lcg
singular: group
scope: Cluster
versions:
- name: v1alpha2
schema:
openAPIV3Schema:
properties:
spec:
properties:
childGroups:
items:
type: string
type: array
externalEntitySelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
ipBlock:
properties:
cidr:
format: cidr
type: string
type: object
ipBlocks:
items:
properties:
cidr:
format: cidr
type: string
type: object
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
serviceReference:
properties:
name:
type: string
namespace:
type: string
type: object
type: object
status:
properties:
conditions:
items:
properties:
lastTransitionTime:
type: string
status:
type: string
type:
type: string
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: clustergroups.crd.antrea.io
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
name: antrea
namespace: kube-system
path: /convert/clustergroup
conversionReviewVersions:
- v1
- v1beta1
group: crd.antrea.io
names:
kind: ClusterGroup
plural: clustergroups
shortNames:
- cg
singular: group
scope: Cluster
versions:
- name: v1alpha2
schema:
openAPIV3Schema:
properties:
spec:
properties:
childGroups:
items:
type: string
type: array
externalEntitySelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
ipBlock:
properties:
cidr:
format: cidr
type: string
type: object
ipBlocks:
items:
properties:
cidr:
format: cidr
type: string
type: object
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
serviceReference:
properties:
name:
type: string
namespace:
type: string
type: object
type: object
status:
properties:
conditions:
items:
properties:
lastTransitionTime:
type: string
status:
type: string
type:
type: string
type: object
type: array
type: object
type: object
served: true
storage: false
- name: v1alpha3
schema:
openAPIV3Schema:
properties:
spec:
properties:
childGroups:
items:
type: string
type: array
externalEntitySelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
ipBlocks:
items:
properties:
cidr:
format: cidr
type: string
type: object
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
serviceReference:
properties:
name:
type: string
namespace:
type: string
type: object
type: object
status:
properties:
conditions:
items:
properties:
lastTransitionTime:
type: string
status:
type: string
type:
type: string
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: clusternetworkpolicies.crd.antrea.io
spec:
group: crd.antrea.io
names:
kind: ClusterNetworkPolicy
plural: clusternetworkpolicies
shortNames:
- acnp
singular: clusternetworkpolicy
scope: Cluster
versions:
- additionalPrinterColumns:
- description: The Tier to which this ClusterNetworkPolicy belongs to.
jsonPath: .spec.tier
name: Tier
type: string
- description: The Priority of this ClusterNetworkPolicy relative to other policies.
format: float
jsonPath: .spec.priority
name: Priority
type: number
- description: The total number of Nodes that should realize the NetworkPolicy.
format: int32
jsonPath: .status.desiredNodesRealized
name: Desired Nodes
type: number
- description: The number of Nodes that have realized the NetworkPolicy.
format: int32
jsonPath: .status.currentNodesRealized
name: Current Nodes
type: number
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
properties:
appliedTo:
items:
properties:
group:
type: string
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
egress:
items:
properties:
action:
enum:
- Allow
- Drop
- Reject
type: string
appliedTo:
items:
properties:
group:
type: string
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
enableLogging:
type: boolean
name:
type: string
ports:
items:
properties:
endPort:
type: integer
port:
x-kubernetes-int-or-string: true
protocol:
type: string
type: object
type: array
to:
items:
properties:
fqdn:
type: string
group:
type: string
ipBlock:
properties:
cidr:
format: cidr
type: string
type: object
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
required:
- action
type: object
type: array
ingress:
items:
properties:
action:
enum:
- Allow
- Drop
- Reject
type: string
appliedTo:
items:
properties:
group:
type: string
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
enableLogging:
type: boolean
from:
items:
properties:
group:
type: string
ipBlock:
properties:
cidr:
format: cidr
type: string
type: object
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
name:
type: string
ports:
items:
properties:
endPort:
type: integer
port:
x-kubernetes-int-or-string: true
protocol:
type: string
type: object
type: array
required:
- action
type: object
type: array
priority:
format: float
maximum: 10000
minimum: 1
type: number
tier:
type: string
required:
- priority
type: object
status:
properties:
currentNodesRealized:
type: integer
desiredNodesRealized:
type: integer
observedGeneration:
type: integer
phase:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: clusternetworkpolicies.security.antrea.tanzu.vmware.com
spec:
group: security.antrea.tanzu.vmware.com
names:
kind: ClusterNetworkPolicy
plural: clusternetworkpolicies
shortNames:
- lacnp
singular: clusternetworkpolicy
scope: Cluster
versions:
- additionalPrinterColumns:
- description: The Tier to which this ClusterNetworkPolicy belongs to.
jsonPath: .spec.tier
name: Tier
type: string
- description: The Priority of this ClusterNetworkPolicy relative to other policies.
format: float
jsonPath: .spec.priority
name: Priority
type: number
- description: The total number of Nodes that should realize the NetworkPolicy.
format: int32
jsonPath: .status.desiredNodesRealized
name: Desired Nodes
type: number
- description: The number of Nodes that have realized the NetworkPolicy.
format: int32
jsonPath: .status.currentNodesRealized
name: Current Nodes
type: number
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
properties:
appliedTo:
items:
properties:
group:
type: string
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
egress:
items:
properties:
action:
enum:
- Allow
- Drop
- Reject
type: string
appliedTo:
items:
properties:
group:
type: string
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
enableLogging:
type: boolean
name:
type: string
ports:
items:
properties:
endPort:
type: integer
port:
x-kubernetes-int-or-string: true
protocol:
type: string
type: object
type: array
to:
items:
properties:
group:
type: string
ipBlock:
properties:
cidr:
format: cidr
type: string
type: object
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
required:
- action
type: object
type: array
ingress:
items:
properties:
action:
enum:
- Allow
- Drop
- Reject
type: string
appliedTo:
items:
properties:
group:
type: string
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
enableLogging:
type: boolean
from:
items:
properties:
group:
type: string
ipBlock:
properties:
cidr:
format: cidr
type: string
type: object
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
name:
type: string
ports:
items:
properties:
endPort:
type: integer
port:
x-kubernetes-int-or-string: true
protocol:
type: string
type: object
type: array
required:
- action
type: object
type: array
priority:
format: float
maximum: 10000
minimum: 1
type: number
tier:
type: string
required:
- priority
type: object
status:
properties:
currentNodesRealized:
type: integer
desiredNodesRealized:
type: integer
observedGeneration:
type: integer
phase:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: egresses.crd.antrea.io
spec:
group: crd.antrea.io
names:
kind: Egress
plural: egresses
shortNames:
- eg
singular: egress
scope: Cluster
versions:
- additionalPrinterColumns:
- description: Specifies the SNAT IP address for the selected workloads.
jsonPath: .spec.egressIP
name: EgressIP
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: The Owner Node of egress IP
jsonPath: .status.egressNode
name: Node
type: string
name: v1alpha2
schema:
openAPIV3Schema:
properties:
spec:
anyOf:
- required:
- egressIP
- required:
- externalIPPool
properties:
appliedTo:
properties:
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
egressIP:
oneOf:
- format: ipv4
- format: ipv6
type: string
externalIPPool:
type: string
required:
- appliedTo
type: object
status:
properties:
egressNode:
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: externalentities.core.antrea.tanzu.vmware.com
spec:
group: core.antrea.tanzu.vmware.com
names:
kind: ExternalEntity
plural: externalentities
shortNames:
- lee
singular: externalentity
scope: Namespaced
versions:
- name: v1alpha2
schema:
openAPIV3Schema:
properties:
spec:
properties:
endpoints:
items:
properties:
ip:
oneOf:
- format: ipv4
- format: ipv6
type: string
name:
type: string
type: object
type: array
externalNode:
type: string
ports:
items:
properties:
name:
type: string
port:
x-kubernetes-int-or-string: true
protocol:
type: string
type: object
type: array
type: object
type: object
served: true
storage: true
- name: v1alpha1
schema:
openAPIV3Schema:
type: object
served: false
storage: false
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: externalentities.crd.antrea.io
spec:
group: crd.antrea.io
names:
kind: ExternalEntity
plural: externalentities
shortNames:
- ee
singular: externalentity
scope: Namespaced
versions:
- name: v1alpha2
schema:
openAPIV3Schema:
properties:
spec:
properties:
endpoints:
items:
properties:
ip:
oneOf:
- format: ipv4
- format: ipv6
type: string
name:
type: string
type: object
type: array
externalNode:
type: string
ports:
items:
properties:
name:
type: string
port:
x-kubernetes-int-or-string: true
protocol:
type: string
type: object
type: array
type: object
type: object
served: true
storage: true
- name: v1alpha1
schema:
openAPIV3Schema:
type: object
served: false
storage: false
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: externalippools.crd.antrea.io
spec:
group: crd.antrea.io
names:
kind: ExternalIPPool
plural: externalippools
shortNames:
- eip
singular: externalippool
scope: Cluster
versions:
- name: v1alpha2
schema:
openAPIV3Schema:
properties:
spec:
properties:
ipRanges:
items:
oneOf:
- required:
- cidr
- required:
- start
- end
properties:
cidr:
format: cidr
type: string
end:
oneOf:
- format: ipv4
- format: ipv6
type: string
start:
oneOf:
- format: ipv4
- format: ipv6
type: string
type: object
type: array
nodeSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- ipRanges
- nodeSelector
type: object
required:
- spec
type: object
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: networkpolicies.crd.antrea.io
spec:
group: crd.antrea.io
names:
kind: NetworkPolicy
plural: networkpolicies
shortNames:
- anp
singular: networkpolicy
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The Tier to which this Antrea NetworkPolicy belongs to.
jsonPath: .spec.tier
name: Tier
type: string
- description: The Priority of this Antrea NetworkPolicy relative to other policies.
format: float
jsonPath: .spec.priority
name: Priority
type: number
- description: The total number of Nodes that should realize the NetworkPolicy.
format: int32
jsonPath: .status.desiredNodesRealized
name: Desired Nodes
type: number
- description: The number of Nodes that have realized the NetworkPolicy.
format: int32
jsonPath: .status.currentNodesRealized
name: Current Nodes
type: number
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
properties:
appliedTo:
items:
properties:
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
egress:
items:
properties:
action:
enum:
- Allow
- Drop
- Reject
type: string
appliedTo:
items:
properties:
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
enableLogging:
type: boolean
name:
type: string
ports:
items:
properties:
endPort:
type: integer
port:
x-kubernetes-int-or-string: true
protocol:
type: string
type: object
type: array
to:
items:
properties:
externalEntitySelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
fqdn:
type: string
ipBlock:
properties:
cidr:
format: cidr
type: string
type: object
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
required:
- action
type: object
type: array
ingress:
items:
properties:
action:
enum:
- Allow
- Drop
- Reject
type: string
appliedTo:
items:
properties:
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
enableLogging:
type: boolean
from:
items:
properties:
externalEntitySelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
ipBlock:
properties:
cidr:
format: cidr
type: string
type: object
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
name:
type: string
ports:
items:
properties:
endPort:
type: integer
port:
x-kubernetes-int-or-string: true
protocol:
type: string
type: object
type: array
required:
- action
type: object
type: array
priority:
format: float
maximum: 10000
minimum: 1
type: number
tier:
type: string
required:
- priority
type: object
status:
properties:
currentNodesRealized:
type: integer
desiredNodesRealized:
type: integer
observedGeneration:
type: integer
phase:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: networkpolicies.security.antrea.tanzu.vmware.com
spec:
group: security.antrea.tanzu.vmware.com
names:
kind: NetworkPolicy
plural: networkpolicies
shortNames:
- lanp
singular: networkpolicy
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The Tier to which this Antrea NetworkPolicy belongs to.
jsonPath: .spec.tier
name: Tier
type: string
- description: The Priority of this Antrea NetworkPolicy relative to other policies.
format: float
jsonPath: .spec.priority
name: Priority
type: number
- description: The total number of Nodes that should realize the NetworkPolicy.
format: int32
jsonPath: .status.desiredNodesRealized
name: Desired Nodes
type: number
- description: The number of Nodes that have realized the NetworkPolicy.
format: int32
jsonPath: .status.currentNodesRealized
name: Current Nodes
type: number
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
properties:
appliedTo:
items:
properties:
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
egress:
items:
properties:
action:
enum:
- Allow
- Drop
- Reject
type: string
appliedTo:
items:
properties:
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
enableLogging:
type: boolean
name:
type: string
ports:
items:
properties:
endPort:
type: integer
port:
x-kubernetes-int-or-string: true
protocol:
type: string
type: object
type: array
to:
items:
properties:
externalEntitySelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
ipBlock:
properties:
cidr:
format: cidr
type: string
type: object
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
required:
- action
type: object
type: array
ingress:
items:
properties:
action:
enum:
- Allow
- Drop
- Reject
type: string
appliedTo:
items:
properties:
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
enableLogging:
type: boolean
from:
items:
properties:
externalEntitySelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
ipBlock:
properties:
cidr:
format: cidr
type: string
type: object
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
podSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
name:
type: string
ports:
items:
properties:
endPort:
type: integer
port:
x-kubernetes-int-or-string: true
protocol:
type: string
type: object
type: array
required:
- action
type: object
type: array
priority:
format: float
maximum: 10000
minimum: 1
type: number
tier:
type: string
required:
- priority
type: object
status:
properties:
currentNodesRealized:
type: integer
desiredNodesRealized:
type: integer
observedGeneration:
type: integer
phase:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: tierentitlementbindings.crd.antrea.tanzu.vmware.com
spec:
group: crd.antrea.tanzu.vmware.com
names:
kind: TierEntitlementBinding
plural: tierentitlementbindings
shortNames:
- teb
singular: tierentitlementbinding
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
properties:
subjects:
items:
properties:
apiGroup:
enum:
- rbac.authorization.k8s.io
type: string
kind:
enum:
- User
- Group
- ServiceAccount
type: string
name:
type: string
namespace:
type: string
type: object
type: array
tierEntitlement:
type: string
required:
- tierEntitlement
- subjects
type: object
type: object
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: tierentitlements.crd.antrea.tanzu.vmware.com
spec:
group: crd.antrea.tanzu.vmware.com
names:
kind: TierEntitlement
plural: tierentitlements
shortNames:
- te
singular: tierentitlement
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
properties:
permission:
enum:
- edit
- read
type: string
tiers:
items:
type: string
type: array
required:
- permission
- tiers
type: object
type: object
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: tiers.crd.antrea.io
spec:
group: crd.antrea.io
names:
kind: Tier
plural: tiers
shortNames:
- tr
singular: tier
scope: Cluster
versions:
- additionalPrinterColumns:
- description: The Priority of this Tier relative to other Tiers.
jsonPath: .spec.priority
name: Priority
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
properties:
description:
type: string
priority:
maximum: 255
minimum: 0
type: integer
required:
- priority
type: object
type: object
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: tiers.security.antrea.tanzu.vmware.com
spec:
group: security.antrea.tanzu.vmware.com
names:
kind: Tier
plural: tiers
shortNames:
- ltr
singular: tier
scope: Cluster
versions:
- additionalPrinterColumns:
- description: The Priority of this Tier relative to other Tiers.
jsonPath: .spec.priority
name: Priority
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
properties:
description:
type: string
priority:
maximum: 255
minimum: 0
type: integer
required:
- priority
type: object
type: object
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: traceflows.crd.antrea.io
spec:
group: crd.antrea.io
names:
kind: Traceflow
plural: traceflows
shortNames:
- tf
singular: traceflow
scope: Cluster
versions:
- additionalPrinterColumns:
- description: The phase of the Traceflow.
jsonPath: .status.phase
name: Phase
type: string
- description: The name of the source Pod.
jsonPath: .spec.source.pod
name: Source-Pod
priority: 10
type: string
- description: The name of the destination Pod.
jsonPath: .spec.destination.pod
name: Destination-Pod
priority: 10
type: string
- description: The IP address of the destination.
jsonPath: .spec.destination.ip
name: Destination-IP
priority: 10
type: string
- description: Trace live traffic.
jsonPath: .spec.liveTraffic
name: Live-Traffic
priority: 10
type: boolean
- description: Capture only the dropped packet.
jsonPath: .spec.droppedOnly
name: Dropped-Only
priority: 10
type: boolean
- description: Timeout in seconds.
jsonPath: .spec.timeout
name: Timeout
priority: 10
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
properties:
destination:
properties:
ip:
oneOf:
- format: ipv4
- format: ipv6
type: string
namespace:
type: string
pod:
type: string
service:
type: string
type: object
droppedOnly:
type: boolean
liveTraffic:
type: boolean
packet:
properties:
ipHeader:
properties:
flags:
type: integer
protocol:
type: integer
srcIP:
oneOf:
- format: ipv4
- format: ipv6
type: string
ttl:
type: integer
type: object
ipv6Header:
properties:
hopLimit:
type: integer
nextHeader:
type: integer
srcIP:
format: ipv6
type: string
type: object
transportHeader:
properties:
icmp:
properties:
id:
type: integer
sequence:
type: integer
type: object
tcp:
properties:
dstPort:
type: integer
flags:
type: integer
srcPort:
type: integer
type: object
udp:
properties:
dstPort:
type: integer
srcPort:
type: integer
type: object
type: object
type: object
source:
properties:
ip:
oneOf:
- format: ipv4
- format: ipv6
type: string
namespace:
type: string
pod:
type: string
type: object
timeout:
type: integer
type: object
status:
properties:
capturedPacket:
properties:
dstIP:
type: string
ipHeader:
properties:
flags:
type: integer
protocol:
type: integer
ttl:
type: integer
type: object
ipv6Header:
properties:
hopLimit:
type: integer
nextHeader:
type: integer
type: object
length:
type: integer
srcIP:
type: string
transportHeader:
properties:
icmp:
properties:
id:
type: integer
sequence:
type: integer
type: object
tcp:
properties:
dstPort:
type: integer
flags:
type: integer
srcPort:
type: integer
type: object
udp:
properties:
dstPort:
type: integer
srcPort:
type: integer
type: object
type: object
type: object
dataplaneTag:
type: integer
phase:
type: string
reason:
type: string
results:
items:
properties:
node:
type: string
observations:
items:
properties:
action:
type: string
component:
type: string
componentInfo:
type: string
dstMAC:
type: string
networkPolicy:
type: string
pod:
type: string
translatedDstIP:
type: string
translatedSrcIP:
type: string
ttl:
type: integer
tunnelDstIP:
type: string
type: object
type: array
role:
type: string
timestamp:
type: integer
type: object
type: array
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: traceflows.ops.antrea.tanzu.vmware.com
spec:
group: ops.antrea.tanzu.vmware.com
names:
kind: Traceflow
plural: traceflows
shortNames:
- ltf
singular: traceflow
scope: Cluster
versions:
- additionalPrinterColumns:
- description: The phase of the Traceflow.
jsonPath: .status.phase
name: Phase
type: string
- description: The name of the source Pod.
jsonPath: .spec.source.pod
name: Source-Pod
priority: 10
type: string
- description: The name of the destination Pod.
jsonPath: .spec.destination.pod
name: Destination-Pod
priority: 10
type: string
- description: The IP address of the destination.
jsonPath: .spec.destination.ip
name: Destination-IP
priority: 10
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
properties:
destination:
properties:
ip:
oneOf:
- format: ipv4
- format: ipv6
type: string
namespace:
type: string
pod:
type: string
service:
type: string
type: object
packet:
properties:
ipHeader:
properties:
flags:
type: integer
protocol:
type: integer
srcIP:
oneOf:
- format: ipv4
- format: ipv6
type: string
ttl:
type: integer
type: object
ipv6Header:
properties:
hopLimit:
type: integer
nextHeader:
type: integer
srcIP:
format: ipv6
type: string
type: object
transportHeader:
properties:
icmp:
properties:
id:
type: integer
sequence:
type: integer
type: object
tcp:
properties:
dstPort:
type: integer
flags:
type: integer
srcPort:
type: integer
type: object
udp:
properties:
dstPort:
type: integer
srcPort:
type: integer
type: object
type: object
type: object
source:
properties:
namespace:
type: string
pod:
type: string
required:
- pod
- namespace
type: object
required:
- source
type: object
status:
properties:
dataplaneTag:
type: integer
phase:
type: string
reason:
type: string
results:
items:
properties:
node:
type: string
observations:
items:
properties:
action:
type: string
component:
type: string
componentInfo:
type: string
dstMAC:
type: string
networkPolicy:
type: string
pod:
type: string
translatedDstIP:
type: string
translatedSrcIP:
type: string
ttl:
type: integer
tunnelDstIP:
type: string
type: object
type: array
role:
type: string
timestamp:
type: integer
type: object
type: array
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: antrea
name: antctl
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: antrea
name: antrea-agent
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: antrea
name: antrea-controller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: antrea
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: aggregate-antrea-clustergroups-edit
rules:
- apiGroups:
- core.antrea.tanzu.vmware.com
resources:
- clustergroups
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- crd.antrea.io
resources:
- clustergroups
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: antrea
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: aggregate-antrea-clustergroups-view
rules:
- apiGroups:
- core.antrea.tanzu.vmware.com
resources:
- clustergroups
verbs:
- get
- list
- watch
- apiGroups:
- crd.antrea.io
resources:
- clustergroups
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: antrea
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: aggregate-antrea-policies-edit
rules:
- apiGroups:
- security.antrea.tanzu.vmware.com
resources:
- clusternetworkpolicies
- networkpolicies
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- crd.antrea.io
resources:
- clusternetworkpolicies
- networkpolicies
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: antrea
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: aggregate-antrea-policies-view
rules:
- apiGroups:
- security.antrea.tanzu.vmware.com
resources:
- clusternetworkpolicies
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- crd.antrea.io
resources:
- clusternetworkpolicies
- networkpolicies
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: antrea
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: aggregate-traceflows-edit
rules:
- apiGroups:
- ops.antrea.tanzu.vmware.com
resources:
- traceflows
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- crd.antrea.io
resources:
- traceflows
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: antrea
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: aggregate-traceflows-view
rules:
- apiGroups:
- ops.antrea.tanzu.vmware.com
resources:
- traceflows
verbs:
- get
- list
- watch
- apiGroups:
- crd.antrea.io
resources:
- traceflows
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: antrea
name: antctl
rules:
- apiGroups:
- controlplane.antrea.tanzu.vmware.com
- controlplane.antrea.io
resources:
- networkpolicies
- appliedtogroups
- addressgroups
verbs:
- get
- list
- apiGroups:
- stats.antrea.tanzu.vmware.com
- stats.antrea.io
resources:
- networkpolicystats
- antreaclusternetworkpolicystats
- antreanetworkpolicystats
verbs:
- get
- list
- apiGroups:
- system.antrea.tanzu.vmware.com
- system.antrea.io
resources:
- controllerinfos
- agentinfos
verbs:
- get
- apiGroups:
- system.antrea.tanzu.vmware.com
- system.antrea.io
resources:
- supportbundles
verbs:
- get
- post
- apiGroups:
- system.antrea.tanzu.vmware.com
- system.antrea.io
resources:
- supportbundles/download
verbs:
- get
- nonResourceURLs:
- /agentinfo
- /addressgroups
- /appliedtogroups
- /loglevel
- /networkpolicies
- /ovsflows
- /ovstracing
- /podinterfaces
- /featuregates
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: antrea
name: antrea-agent
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- watch
- list
- patch
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- watch
- list
- patch
- apiGroups:
- ""
resources:
- endpoints
- services
verbs:
- get
- watch
- list
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- watch
- list
- apiGroups:
- clusterinformation.antrea.tanzu.vmware.com
- crd.antrea.io
resources:
- antreaagentinfos
verbs:
- get
- create
- update
- delete
- apiGroups:
- controlplane.antrea.tanzu.vmware.com
- controlplane.antrea.io
resources:
- networkpolicies
- appliedtogroups
- addressgroups
verbs:
- get
- watch
- list
- apiGroups:
- controlplane.antrea.io
resources:
- egressgroups
verbs:
- get
- watch
- list
- apiGroups:
- controlplane.antrea.tanzu.vmware.com
- controlplane.antrea.io
resources:
- nodestatssummaries
verbs:
- create
- apiGroups:
- controlplane.antrea.tanzu.vmware.com
- controlplane.antrea.io
resources:
- networkpolicies/status
verbs:
- create
- get
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- ""
resourceNames:
- extension-apiserver-authentication
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- antrea-ca
resources:
- configmaps
verbs:
- get
- watch
- list
- apiGroups:
- ops.antrea.tanzu.vmware.com
- crd.antrea.io
resources:
- traceflows
- traceflows/status
verbs:
- get
- watch
- list
- update
- patch
- create
- delete
- apiGroups:
- crd.antrea.io
resources:
- egresses
verbs:
- get
- watch
- list
- apiGroups:
- crd.antrea.io
resources:
- egresses/status
verbs:
- update
- apiGroups:
- crd.antrea.io
resources:
- externalippools
verbs:
- get
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: antrea
name: antrea-cluster-identity-reader
rules:
- apiGroups:
- ""
resourceNames:
- antrea-cluster-identity
resources:
- configmaps
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: antrea
name: antrea-controller
rules:
- apiGroups:
- ""
resources:
- pods
- namespaces
- services
- configmaps
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- watch
- list
- patch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- watch
- list
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- update
- apiGroups:
- ""
resourceNames:
- extension-apiserver-authentication
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- antrea-ca
- antrea-cluster-identity
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resourceNames:
- antrea-config-c48mcgtk29
resources:
- configmaps
verbs:
- get
- apiGroups:
- apiregistration.k8s.io
resourceNames:
- v1alpha1.stats.antrea.tanzu.vmware.com
- v1beta1.system.antrea.tanzu.vmware.com
- v1beta2.controlplane.antrea.tanzu.vmware.com
- v1beta1.controlplane.antrea.tanzu.vmware.com
- v1alpha1.stats.antrea.io
- v1beta1.system.antrea.io
- v1beta2.controlplane.antrea.io
resources:
- apiservices
verbs:
- get
- update
- apiGroups:
- apiregistration.k8s.io
resourceNames:
- v1beta1.networking.antrea.tanzu.vmware.com
resources:
- apiservices
verbs:
- delete
- apiGroups:
- admissionregistration.k8s.io
resourceNames:
- crdmutator.antrea.tanzu.vmware.com
- crdvalidator.antrea.tanzu.vmware.com
- labelsmutator.antrea.io
- crdmutator.antrea.io
- crdvalidator.antrea.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- update
- apiGroups:
- crd.antrea.io
resources:
- antreacontrollerinfos
verbs:
- get
- create
- update
- delete
- apiGroups:
- crd.antrea.io
resources:
- antreaagentinfos
verbs:
- list
- delete
- apiGroups:
- crd.antrea.io
resources:
- clusternetworkpolicies
- networkpolicies
verbs:
- get
- watch
- list
- update
- patch
- create
- delete
- apiGroups:
- crd.antrea.io
resources:
- clusternetworkpolicies/status
- networkpolicies/status
verbs:
- update
- apiGroups:
- crd.antrea.io
resources:
- tiers
verbs:
- get
- watch
- list
- update
- patch
- create
- delete
- apiGroups:
- crd.antrea.io
resources:
- traceflows
- traceflows/status
verbs:
- get
- watch
- list
- update
- patch
- create
- delete
- apiGroups:
- crd.antrea.io
resources:
- externalentities
- clustergroups
verbs:
- get
- watch
- list
- update
- patch
- create
- delete
- apiGroups:
- crd.antrea.io
resources:
- clustergroups/status
verbs:
- update
- apiGroups:
- crd.antrea.io
resources:
- egresses
verbs:
- get
- watch
- list
- update
- patch
- apiGroups:
- crd.antrea.io
resources:
- externalippools
verbs:
- get
- watch
- list
- apiGroups:
- clusterinformation.antrea.tanzu.vmware.com
resources:
- antreacontrollerinfos
verbs:
- get
- create
- update
- delete
- apiGroups:
- clusterinformation.antrea.tanzu.vmware.com
resources:
- antreaagentinfos
verbs:
- list
- delete
- apiGroups:
- security.antrea.tanzu.vmware.com
resources:
- clusternetworkpolicies
- networkpolicies
verbs:
- get
- watch
- list
- update
- patch
- create
- delete
- apiGroups:
- security.antrea.tanzu.vmware.com
resources:
- clusternetworkpolicies/status
- networkpolicies/status
verbs:
- update
- apiGroups:
- security.antrea.tanzu.vmware.com
resources:
- tiers
verbs:
- get
- watch
- list
- update
- patch
- create
- delete
- apiGroups:
- crd.antrea.tanzu.vmware.com
resources:
- tierentitlements
- tierentitlementbindings
verbs:
- get
- watch
- list
- apiGroups:
- ops.antrea.tanzu.vmware.com
resources:
- traceflows
- traceflows/status
verbs:
- get
- watch
- list
- update
- patch
- create
- delete
- apiGroups:
- core.antrea.tanzu.vmware.com
resources:
- externalentities
- clustergroups
verbs:
- get
- watch
- list
- update
- patch
- create
- delete
- apiGroups:
- core.antrea.tanzu.vmware.com
resources:
- clustergroups/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: antrea
name: antctl
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: antctl
subjects:
- kind: ServiceAccount
name: antctl
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: antrea
name: antrea-agent
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: antrea-agent
subjects:
- kind: ServiceAccount
name: antrea-agent
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: antrea
name: antrea-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: antrea-controller
subjects:
- kind: ServiceAccount
name: antrea-controller
namespace: kube-system
---
apiVersion: v1
data:
antrea-agent-tweaker.conf: |-
# Enable disableUdpTunnelOffload will disable udp tunnel offloading feature on kubernetes node's default interface.
# By default, no actions will be taken.
disableUdpTunnelOffload: false
kind: ConfigMap
metadata:
labels:
app: antrea
name: antrea-agent-tweaker-g56hc6fh8t
namespace: kube-system
---
apiVersion: v1
data:
antrea-agent.conf: |
# FeatureGates is a map of feature names to bools that enable or disable experimental features.
featureGates:
# Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent.
# It should be enabled on Windows, otherwise NetworkPolicy will not take effect on
# Service traffic.
# AntreaProxy: true
# Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice
# API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled,
# this flag will not take effect.
# EndpointSlice: false
# Enable traceflow which provides packet tracing feature to diagnose network issue.
# Traceflow: true
# Enable NodePortLocal feature to make the pods reachable externally through NodePort
# NodePortLocal: false
# Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
# to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
# feature that supports priorities, rule actions and externalEntities in the future.
# AntreaPolicy: true
# Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each
# agent to a configured collector.
# FlowExporter: false
# Enable collecting and exposing NetworkPolicy statistics.
# NetworkPolicyStats: true
# Enable controlling SNAT IPs of Pod egress traffic.
# Egress: false
# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
#ovsBridge: br-int
# Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
# - system
# - netdev
# 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
# OVS in userspace mode. Userspace mode requires the tun device driver to be available.
#ovsDatapathType: system
# Name of the interface antrea-agent will create and use for host <--> pod communication.
# Make sure it doesn't conflict with your existing interfaces.
#hostGateway: antrea-gw0
# Determines how traffic is encapsulated. It has the following options:
# encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network
# traffic is SNAT'd.
# noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is
# SNAT'd if noSNAT is not set to true. Underlying network must be capable of
# supporting Pod traffic across IP subnets.
# hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap.
# networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod
# IPAM and connectivity to the primary CNI.
#
#trafficEncapMode: encap
# Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network.
# This option is for the noEncap traffic mode only, and the default value is false. In the noEncap
# mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to
# the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never
# performs SNAT and this option will be ignored; for other modes it must be set to false.
#noSNAT: false
# Tunnel protocols used for encapsulating traffic across Nodes. Supported values:
# - geneve (default)
# - vxlan
# - gre
# - stt
#tunnelType: geneve
# Default MTU to use for the host gateway interface and the network interface of each Pod.
# If omitted, antrea-agent will discover the MTU of the Node's primary interface and
# also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
#defaultMTU: 0
# Whether or not to enable IPsec encryption of tunnel traffic.
#enableIPSecTunnel: false
# ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
# set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
# AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
#serviceCIDR: 10.96.0.0/12
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
# --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
# No default value for this field.
#serviceCIDRv6:
# The port for the antrea-agent APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-agent` container must be set to the same value.
#apiPort: 10350
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
#enablePrometheusMetrics: true
# Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
# HOST can either be the DNS name or the IP of the Flow Collector. For example,
# "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect
# to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6.
# However, IPv6 address should be wrapped with [].
# If PORT is empty, we default to 4739, the standard IPFIX port.
# If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
# "udp" protocols. "tls" is used for securing communication between flow exporter and
# flow aggregator.
#flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
# Provide flow poll interval as a duration string. This determines how often the
# flow exporter dumps connections from the conntrack module. Flow poll interval
# should be greater than or equal to 1s (one second).
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
#flowPollInterval: "5s"
# Provide the active flow export timeout, which is the timeout after which a flow
# record is sent to the collector for active flows. Thus, for flows with a continuous
# stream of packets, a flow record will be exported to the collector once the elapsed
# time since the last export event is equal to the value of this timeout.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
#activeFlowExportTimeout: "30s"
# Provide the idle flow export timeout, which is the timeout after which a flow
# record is sent to the collector for idle flows. A flow is considered idle if no
# packet matching this flow has been observed since the last export event.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
#idleFlowExportTimeout: "15s"
# Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned
# whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports),
# and all Node traffic directed to that port will be forwarded to the Pod.
#nplPortRange: 61000-62000
# Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
# Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
#kubeAPIServerOverride: ""
# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
# https://golang.org/pkg/crypto/tls/#pkg-constants
# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
# prefer TLS1.3 Cipher Suites whenever possible.
tlsCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384
# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
#tlsMinVersion:
antrea-cni.conflist: |
{
"cniVersion":"0.3.0",
"name": "antrea",
"plugins": [
{
"type": "antrea",
"ipam": {
"type": "host-local"
}
},
{
"type": "portmap",
"capabilities": {"portMappings": true}
},
{
"type": "bandwidth",
"capabilities": {"bandwidth": true}
}
]
}
antrea-controller.conf: |
# FeatureGates is a map of feature names to bools that enable or disable experimental features.
featureGates:
# Enable traceflow which provides packet tracing feature to diagnose network issue.
# Traceflow: true
# Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
# to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
# feature that supports priorities, rule actions and externalEntities in the future.
# AntreaPolicy: true
# Enable collecting and exposing NetworkPolicy statistics.
# NetworkPolicyStats: true
# Enable controlling SNAT IPs of Pod egress traffic.
# Egress: false
# Run Kubernetes NodeIPAMController with Antrea.
# NodeIPAM: false
# The port for the antrea-controller APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-controller` container must be set to the same value.
#apiPort: 10349
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
#enablePrometheusMetrics: true
# Indicates whether to use auto-generated self-signed TLS certificate.
# If false, A Secret named "antrea-controller-tls" must be provided with the following keys:
# ca.crt: <CA certificate>
# tls.crt: <TLS certificate>
# tls.key: <TLS private key>
# And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
# antrea-controller container.
#selfSignedCert: true
# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
# https://golang.org/pkg/crypto/tls/#pkg-constants
# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
# prefer TLS1.3 Cipher Suites whenever possible.
tlsCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384
# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
#tlsMinVersion:
# If Antrea is upgraded from version <= v0.13 and legacy CRDs are used, this option should be
# enabled, otherwise the CRDs created with the legacy API groups will not take any effect and
# work as expected. When the mirroring is enabled, if a legacy CRD is created with legacy API
# groups, mirroring-controller will create a new CRD with the Spec and Labels from the legacy
# CRD. Afterwards, the modification of Spec and Label in legacy CRD will be synchronized to new
# CRD automatically. In addition, the modification of Status in new CRD will also be synchronized
# to legacy CRD automatically. If a legacy CRD is deleted, the corresponding new CRD will be deleted.
# Note that: to decouple a new CRD from the corresponding legacy CRD, the legacy CRD should be
# annotated with "crd.antrea.io/stop-mirror". Afterwards, updates to the legacy CRDs will no
# longer be reflected in the new CRD, and all CRUD operations should be done through the new
# API groups. After adding the annotation, legacy CRDs can be deleted safely without impacting
# new CRDs.
#legacyCRDMirroring: true
# Enable usage reporting (telemetry) to VMware.
#enableUsageReporting: false
nodeIPAM:
# Enable the integrated Node IPAM controller within the Antrea controller.
# enableNodeIPAM: false
# CIDR Ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges.
# The CIDRs could be either IPv4 or IPv6. Value ignored when enableNodeIPAM is false.
# clusterCIDRs: []
# CIDR Ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs.
# Value ignored when enableNodeIPAM is false.
# serviceCIDR:
# serviceCIDRv6:
# Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false
# or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30.
# nodeCIDRMaskSizeIPv4: 24
# Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
# or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
# nodeCIDRMaskSizeIPv6: 64
kind: ConfigMap
metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-c48mcgtk29
namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
labels:
app: antrea
name: antrea
namespace: kube-system
spec:
ports:
- port: 443
protocol: TCP
targetPort: api
selector:
app: antrea
component: antrea-controller
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: antrea
component: antrea-controller
name: antrea-controller
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: antrea
component: antrea-controller
strategy:
type: Recreate
template:
metadata:
labels:
app: antrea
component: antrea-controller
spec:
containers:
- args:
- --config
- /etc/antrea/antrea-controller.conf
- --logtostderr=false
- --log_dir=/var/log/antrea
- --alsologtostderr
- --log_file_max_size=100
- --log_file_max_num=4
- --v=0
command:
- antrea-controller
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: SERVICEACCOUNT_NAME
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-c48mcgtk29
image: projects.registry.vmware.com/antreainterworking/antrea-advanced-debian:v1.2.4_vmware.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 5
httpGet:
host: localhost
path: /livez
port: api
scheme: HTTPS
periodSeconds: 10
timeoutSeconds: 5
name: antrea-controller
ports:
- containerPort: 10349
name: api
protocol: TCP
readinessProbe:
failureThreshold: 5
httpGet:
host: localhost
path: /readyz
port: api
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
resources:
requests:
cpu: 200m
volumeMounts:
- mountPath: /etc/antrea/antrea-controller.conf
name: antrea-config
readOnly: true
subPath: antrea-controller.conf
- mountPath: /var/run/antrea/antrea-controller-tls
name: antrea-controller-tls
- mountPath: /var/log/antrea
name: host-var-log-antrea
hostNetwork: true
nodeSelector:
kubernetes.io/os: linux
priorityClassName: system-cluster-critical
serviceAccountName: antrea-controller
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-c48mcgtk29
name: antrea-config
- name: antrea-controller-tls
secret:
defaultMode: 256
optional: true
secretName: antrea-controller-tls
- hostPath:
path: /var/log/antrea
type: DirectoryOrCreate
name: host-var-log-antrea
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
app: antrea
name: v1alpha1.stats.antrea.io
spec:
group: stats.antrea.io
groupPriorityMinimum: 100
service:
name: antrea
namespace: kube-system
version: v1alpha1
versionPriority: 100
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
app: antrea
name: v1alpha1.stats.antrea.tanzu.vmware.com
spec:
group: stats.antrea.tanzu.vmware.com
groupPriorityMinimum: 100
service:
name: antrea
namespace: kube-system
version: v1alpha1
versionPriority: 100
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
app: antrea
name: v1beta1.controlplane.antrea.tanzu.vmware.com
spec:
group: controlplane.antrea.tanzu.vmware.com
groupPriorityMinimum: 100
service:
name: antrea
namespace: kube-system
version: v1beta1
versionPriority: 100
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
app: antrea
name: v1beta1.system.antrea.io
spec:
group: system.antrea.io
groupPriorityMinimum: 100
service:
name: antrea
namespace: kube-system
version: v1beta1
versionPriority: 100
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
app: antrea
name: v1beta1.system.antrea.tanzu.vmware.com
spec:
group: system.antrea.tanzu.vmware.com
groupPriorityMinimum: 100
service:
name: antrea
namespace: kube-system
version: v1beta1
versionPriority: 100
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
app: antrea
name: v1beta2.controlplane.antrea.io
spec:
group: controlplane.antrea.io
groupPriorityMinimum: 100
service:
name: antrea
namespace: kube-system
version: v1beta2
versionPriority: 100
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
app: antrea
name: v1beta2.controlplane.antrea.tanzu.vmware.com
spec:
group: controlplane.antrea.tanzu.vmware.com
groupPriorityMinimum: 100
service:
name: antrea
namespace: kube-system
version: v1beta2
versionPriority: 100
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app: antrea
component: antrea-agent
name: antrea-agent
namespace: kube-system
spec:
selector:
matchLabels:
app: antrea
component: antrea-agent
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: antrea-agent
labels:
app: antrea
component: antrea-agent
spec:
containers:
- args:
- --config
- /etc/antrea/antrea-agent.conf
- --logtostderr=false
- --log_dir=/var/log/antrea
- --alsologtostderr
- --log_file_max_size=100
- --log_file_max_num=4
- --v=0
command:
- antrea-agent
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: projects.registry.vmware.com/antreainterworking/antrea-advanced-debian:v1.2.4_vmware.1
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /bin/sh
- -c
- container_liveness_probe agent
failureThreshold: 5
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
name: antrea-agent
ports:
- containerPort: 10350
name: api
protocol: TCP
readinessProbe:
failureThreshold: 8
httpGet:
host: localhost
path: /readyz
port: api
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
resources:
requests:
cpu: 200m
securityContext:
privileged: true
volumeMounts:
- mountPath: /etc/antrea/antrea-agent.conf
name: antrea-config
readOnly: true
subPath: antrea-agent.conf
- mountPath: /var/run/antrea
name: host-var-run-antrea
- mountPath: /var/run/openvswitch
name: host-var-run-antrea
subPath: openvswitch
- mountPath: /var/lib/cni
name: host-var-run-antrea
subPath: cni
- mountPath: /var/log/antrea
name: host-var-log-antrea
- mountPath: /host/proc
name: host-proc
readOnly: true
- mountPath: /host/var/run/netns
mountPropagation: HostToContainer
name: host-var-run-netns
readOnly: true
- mountPath: /run/xtables.lock
name: xtables-lock
- args:
- --log_file_max_size=100
- --log_file_max_num=4
command:
- start_ovs
image: projects.registry.vmware.com/antreainterworking/antrea-advanced-debian:v1.2.4_vmware.1
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /bin/sh
- -c
- timeout 10 container_liveness_probe ovs
failureThreshold: 5
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 10
name: antrea-ovs
resources:
requests:
cpu: 200m
securityContext:
capabilities:
add:
- SYS_NICE
- NET_ADMIN
- SYS_ADMIN
- IPC_LOCK
volumeMounts:
- mountPath: /var/run/openvswitch
name: host-var-run-antrea
subPath: openvswitch
- mountPath: /var/log/openvswitch
name: host-var-log-antrea
subPath: openvswitch
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
initContainers:
- command:
- install_cni
image: projects.registry.vmware.com/antreainterworking/antrea-advanced-debian:v1.2.4_vmware.1
imagePullPolicy: IfNotPresent
name: install-cni
resources:
requests:
cpu: 100m
securityContext:
capabilities:
add:
- SYS_MODULE
volumeMounts:
- mountPath: /etc/antrea/antrea-cni.conflist
name: antrea-config
readOnly: true
subPath: antrea-cni.conflist
- mountPath: /host/etc/cni/net.d
name: host-cni-conf
- mountPath: /host/opt/cni/bin
name: host-cni-bin
- mountPath: /lib/modules
name: host-lib-modules
readOnly: true
- mountPath: /var/run/antrea
name: host-var-run-antrea
- args:
- --config
- /etc/antrea/antrea-agent-tweaker.conf
command:
- antrea-agent-tweaker
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: projects.registry.vmware.com/antreainterworking/antrea-advanced-debian:v1.2.4_vmware.1
name: antrea-agent-tweaker
resources:
requests:
cpu: 100m
securityContext:
capabilities:
add:
- NET_ADMIN
volumeMounts:
- mountPath: /etc/antrea/antrea-agent-tweaker.conf
name: antrea-agent-tweaker-config
subPath: antrea-agent-tweaker.conf
nodeSelector:
kubernetes.io/os: linux
priorityClassName: system-node-critical
serviceAccountName: antrea-agent
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists
volumes:
- configMap:
name: antrea-config-c48mcgtk29
name: antrea-config
- configMap:
name: antrea-agent-tweaker-g56hc6fh8t
name: antrea-agent-tweaker-config
- hostPath:
path: /etc/cni/net.d
name: host-cni-conf
- hostPath:
path: /opt/cni/bin
name: host-cni-bin
- hostPath:
path: /proc
name: host-proc
- hostPath:
path: /var/run/netns
name: host-var-run-netns
- hostPath:
path: /var/run/antrea
type: DirectoryOrCreate
name: host-var-run-antrea
- hostPath:
path: /var/log/antrea
type: DirectoryOrCreate
name: host-var-log-antrea
- hostPath:
path: /lib/modules
name: host-lib-modules
- hostPath:
path: /run/xtables.lock
type: FileOrCreate
name: xtables-lock
updateStrategy:
type: RollingUpdate
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
labels:
app: antrea
name: crdmutator.antrea.io
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: antrea
namespace: kube-system
path: /mutate/acnp
name: acnpmutator.antrea.io
rules:
- apiGroups:
- crd.antrea.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- clusternetworkpolicies
scope: Cluster
sideEffects: None
timeoutSeconds: 5
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: antrea
namespace: kube-system
path: /mutate/anp
name: anpmutator.antrea.io
rules:
- apiGroups:
- crd.antrea.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- networkpolicies
scope: Namespaced
sideEffects: None
timeoutSeconds: 5
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
labels:
app: antrea
name: crdmutator.antrea.tanzu.vmware.com
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: antrea
namespace: kube-system
path: /mutate/acnp
name: acnpmutator.antrea.tanzu.vmware.com
rules:
- apiGroups:
- security.antrea.tanzu.vmware.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- clusternetworkpolicies
scope: Cluster
sideEffects: None
timeoutSeconds: 5
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: antrea
namespace: kube-system
path: /mutate/anp
name: anpmutator.antrea.tanzu.vmware.com
rules:
- apiGroups:
- security.antrea.tanzu.vmware.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- networkpolicies
scope: Namespaced
sideEffects: None
timeoutSeconds: 5
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app: antrea
name: crdvalidator.antrea.io
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: antrea
namespace: kube-system
path: /validate/tier
name: tiervalidator.antrea.io
rules:
- apiGroups:
- crd.antrea.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- tiers
scope: Cluster
sideEffects: None
timeoutSeconds: 5
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: antrea
namespace: kube-system
path: /validate/acnp
name: acnpvalidator.antrea.io
rules:
- apiGroups:
- crd.antrea.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- clusternetworkpolicies
scope: Cluster
sideEffects: None
timeoutSeconds: 5
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: antrea
namespace: kube-system
path: /validate/anp
name: anpvalidator.antrea.io
rules:
- apiGroups:
- crd.antrea.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- networkpolicies
scope: Namespaced
sideEffects: None
timeoutSeconds: 5
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: antrea
namespace: kube-system
path: /validate/clustergroup
name: clustergroupvalidator.antrea.io
rules:
- apiGroups:
- crd.antrea.io
apiVersions:
- v1alpha3
- v1alpha2
operations:
- CREATE
- UPDATE
resources:
- clustergroups
scope: Cluster
sideEffects: None
timeoutSeconds: 5
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: antrea
namespace: kube-system
path: /validate/externalippool
name: externalippoolvalidator.antrea.io
rules:
- apiGroups:
- crd.antrea.io
apiVersions:
- v1alpha2
operations:
- UPDATE
resources:
- externalippools
scope: Cluster
sideEffects: None
timeoutSeconds: 5
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: antrea
namespace: kube-system
path: /validate/egress
name: egressvalidator.antrea.io
rules:
- apiGroups:
- crd.antrea.io
apiVersions:
- v1alpha2
operations:
- CREATE
- UPDATE
resources:
- egresses
scope: Cluster
sideEffects: None
timeoutSeconds: 5
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app: antrea
name: crdvalidator.antrea.tanzu.vmware.com
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: antrea
namespace: kube-system
path: /validate/tier
name: tiervalidator.antrea.tanzu.vmware.com
rules:
- apiGroups:
- security.antrea.tanzu.vmware.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- tiers
scope: Cluster
sideEffects: None
timeoutSeconds: 5
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: antrea
namespace: kube-system
path: /validate/acnp
name: acnpvalidator.antrea.tanzu.vmware.com
rules:
- apiGroups:
- security.antrea.tanzu.vmware.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- clusternetworkpolicies
scope: Cluster
sideEffects: None
timeoutSeconds: 5
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: antrea
namespace: kube-system
path: /validate/anp
name: anpvalidator.antrea.tanzu.vmware.com
rules:
- apiGroups:
- security.antrea.tanzu.vmware.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- networkpolicies
scope: Namespaced
sideEffects: None
timeoutSeconds: 5
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: antrea
namespace: kube-system
path: /validate/clustergroup
name: clustergroupvalidator.antrea.tanzu.vmware.com
rules:
- apiGroups:
- core.antrea.tanzu.vmware.com
apiVersions:
- v1alpha2
operations:
- CREATE
- UPDATE
- DELETE
resources:
- clustergroups
scope: Cluster
sideEffects: None
timeoutSeconds: 5
