Antrea is super easy to install. All the Antrea components are containerized and can be installed using the Kubernetes deployment manifest.
kubeadm to create the Kubernetes cluster, passing
--pod-network-cidr=<CIDR Range for Pods> to
kubeadm init will enable
NodeIpamController. Clusters created with kubeadm will always have
CNI plugins enabled. Refer to
Creating a cluster with kubeadm
for more information about setting up a Kubernetes cluster with
When the cluster is deployed by other means then:
kube-controller-manager should be started
with the following flags:
--cluster-cidr=<CIDR Range for Pods>
CNI network plugins,
kubelet should be started with the
To enable masquerading of traffic for Service cluster IP via iptables,
kube-proxy should be started with the
--cluster-cidr=<CIDR Range for Pods>
As for OVS, when using the built-in kernel module, kernel version >= 4.4 is required. On the other hand, when building it from OVS sources, OVS version >= 2.6.0 is required.
Red Hat Enterprise Linux and CentOS 7.x use kernel 3.10, but as changes to OVS kernel modules are regularly backported to these kernel versions, they should work with Antrea, starting with version 7.4.
In case a node does not have a supported OVS module installed, you can install it following the instructions at: Installing Open vSwitch.
Some experimental features disabled by default may have additional requirements, please refer to the Feature Gates documentation to determine whether it applies to you.
Antrea will work out-of-the-box on most popular Operating Systems. Known issues encountered when running Antrea on specific OSes are documented here.
To deploy a released version of Antrea, pick a deployment manifest from the
list of releases. For any
v0.1.0), you can deploy Antrea as follows:
kubectl apply -f https://github.com/vmware-tanzu/antrea/releases/download/<TAG>/antrea.yml
To deploy the latest version of Antrea (built from the master branch), use the
checked-in deployment yaml (
kubectl apply -f https://raw.githubusercontent.com/vmware-tanzu/antrea/master/build/yamls/antrea.yml
If you want to add Windows Nodes to your cluster, please refer to the installation instructions in windows.md.
Antrea supports some experimental features that can be enabled or disabled, please refer to the Feature Gates documentation for more information.
The instructions above only apply when deploying Antrea in a new cluster. If you need to migrate your existing cluster from another CNI plugin to Antrea, you will need to do the following:
hostNetwork: true). You may use
kubectl drainto drain each Node or reboot all your Nodes.
While this is in-progress, networking will be disrupted in your cluster. After deleting the previous CNI, existing Pods may not be reachable anymore.
For example, when migrating from Flannel to Antrea, you will need to do the following:
kubectl delete -f <path to your Flannel YAML manifest>.
ip link delete flannel.1 && ip link delete flannel cni0on each Node.
kubectl drain --ignore-daemonsets <node name> && kubectl uncordon <node name>. The
--ignore-daemonsetsflag will ignore DaemonSet-managed Pods, including the Antrea Agent Pods. If you have any other DaemonSet-managed Pods (besides the Antrea ones and system ones such as kube-proxy), they will be ignored and will not be drained from the Node. Refer to the Kubernetes documentation for more information. Alternatively, you can also restart all the Pods yourself, or simply reboot your Nodes.
To build the image locally, you can follow the instructions in the Contributor Guide.
Antrea components can also be run manually as processes for development purposes. See Manual Installation for information.
Antrea can be deployed in NetworkPolicy only mode to an EKS cluster or a GKE cluster, and enforce NetworkPolicies for the cluster.
By default, Antrea generates the certificates needed for itself to run. To provide your own certificates, please refer to Securing Control Plane.
To use antctl, the Antrea command-line tool, please refer to this guide.
Besides Kubernetes NetworkPolicy, Antrea also implements its own Network Policy CRDs, which provide advanced features including: policy priority, tiering, deny action, external entity, and policy statistics. For more information on usage of Antrea Network Policies, refer to the Antrea Network Policy document.
Antrea supports encrypting GRE tunnel traffic with IPsec. To deploy Antrea with IPsec encryption enabled, please refer to this guide.
Antrea supports exporting network flow information using IPFIX, and provides a reference cookbook on how to visualize the exported network flows using Elastic Stack and Kibana dashboards. For more information, refer to the network flow visibility document.
Antrea ships with an Octant UI plugin which can show runtime information of Antrea components and perform Antrea Traceflow operations. Refer to this guide to learn how to install Octant and the Antrea plugin.
Antrea can offload OVS flow processing to the NICs that support OVS kernel hardware offload using TC. The hardware offload can improve OVS performance significantly. For more information on how to configure OVS offload, refer to the OVS hardware offload guide.
Antrea supports exporting metrics to Prometheus. For more information, refer to the Prometheus integration document.
Traceflow is a very useful network diagnosis feature in Antrea. It can trace and report the forwarding path of a specified packet in the Antrea network. For usage of this feature, refer to the Traceflow user guide.