Documentation

Manual Installation

Overview

There are four components which need to be deployed in order to run Antrea:

  • The OpenVSwitch daemons ovs-vswitchd and ovsdb-server

  • The controller antrea-controller

  • The agent antrea-agent

  • The CNI plugin antrea-cni

Instructions

Prior to bringing up the individual components, follow the common steps:

  • Ensure Go v1.13 is installed

  • Git clone your forked Antrea repository and cd into the antrea directory git clone https://github.com/$user/antrea cd antrea

  • Build the binaries for all components under bin directory make bin

OpenVSwitch

Open vSwitch >= 2.8.0 userspace daemon ovs-vswitchd and ovsdb-server should run on all worker nodes. See Installing Open vSwitch for details.

antrea-controller

antrea-controller is required to implement Kubernetes Network Policies. At any time, there should be only a single active replica of antrea-controller.

  1. Grant the antrea-controller ServiceAccount necessary permissions to Kubernetes APIs. You can apply controller-rbac.yaml to do it. shell script kubectl apply -f build/yamls/base/controller-rbac.yml
  1. Create the kubeconfig file that contains the K8s APIServer endpoint and the token of ServiceAccount created in the above step. See Configure Access to Multiple Clusters for more information. shell script APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}') TOKEN=$(kubectl get secrets -n kube-system -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='antrea-controller')].data.token}"|base64 --decode) kubectl config --kubeconfig=antrea-controller.kubeconfig set-cluster kubernetes --server=$APISERVER --insecure-skip-tls-verify kubectl config --kubeconfig=antrea-controller.kubeconfig set-credentials antrea-controller --token=$TOKEN kubectl config --kubeconfig=antrea-controller.kubeconfig set-context antrea-controller@kubernetes --cluster=kubernetes --user=antrea-controller kubectl config --kubeconfig=antrea-controller.kubeconfig use-context antrea-controller@kubernetes
  1. Create the antrea-controller config file, see Configuration for details. shell script cat >antrea-controller.conf <<EOF clientConnection: kubeconfig: antrea-controller.kubeconfig EOF
  1. Start antrea-controller. shell script bin/antrea-controller --config antrea-controller.conf

antrea-agent

antrea-agent must run all worker nodes.

  1. Grant the antrea-agent ServiceAccount necessary permissions to Kubernetes APIs. You can apply agent-rbac.yaml to do it. shell script kubectl apply -f build/yamls/base/agent-rbac.yml
  1. Create the kubeconfig file that contains the K8s APIServer endpoint and the token of ServiceAccount created in the above step. See Configure Access to Multiple Clusters for more information. shell script APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}') TOKEN=$(kubectl get secrets -n kube-system -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='antrea-agent')].data.token}"|base64 --decode) kubectl config --kubeconfig=antrea-agent.kubeconfig set-cluster kubernetes --server=$APISERVER --insecure-skip-tls-verify kubectl config --kubeconfig=antrea-agent.kubeconfig set-credentials antrea-agent --token=$TOKEN kubectl config --kubeconfig=antrea-agent.kubeconfig set-context antrea-agent@kubernetes --cluster=kubernetes --user=antrea-agent kubectl config --kubeconfig=antrea-agent.kubeconfig use-context antrea-agent@kubernetes
  1. Create the kubeconfig file that contains the antrea-controller APIServer endpoint and the token of ServiceAccount created in the above step. shell script # Change it to the correct endpoint if you are running antrea-controller somewhere else. ANTREA_APISERVER=https://localhost TOKEN=$(kubectl get secrets -n kube-system -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='antrea-agent')].data.token}"|base64 --decode) kubectl config --kubeconfig=antrea-agent.antrea.kubeconfig set-cluster antrea --server=$ANTREA_APISERVER --insecure-skip-tls-verify kubectl config --kubeconfig=antrea-agent.antrea.kubeconfig set-credentials antrea-agent --token=$TOKEN kubectl config --kubeconfig=antrea-agent.antrea.kubeconfig set-context antrea-agent@antrea --cluster=antrea --user=antrea-agent kubectl config --kubeconfig=antrea-agent.antrea.kubeconfig use-context antrea-agent@antrea
  1. Create the antrea-agent config file, see Configuration for details. shell script cat >antrea-agent.conf <<EOF clientConnection: kubeconfig: antrea-agent.kubeconfig antreaClientConnection: kubeconfig: antrea-agent.antrea.kubeconfig hostProcPathPrefix: "/" EOF
  1. Start antrea-agent. shell script bin/antrea-agent --config antrea-agent.conf

antrea-cni

antrea-cni should be installed on all worker nodes.

  1. Create the cni config file on all worker nodes. ```shell script mkdir -p /etc/cni/net.d

cat >/etc/cni/net.d/10-antrea.conflist <<EOF { "cniVersion":"0.3.0", "name": "antrea", "plugins": [ { "type": "antrea", "ipam": { "type": "host-local" } }, { "type": "portmap", "capabilities": {"portMappings": true} } ] } EOF ```

  1. Install antrea-cni to /opt/cni/bin/antrea. shell script cp bin/antrea-cni /opt/cni/bin/antrea
Getting Started

To help you get started, see the documentation.