Documentation
Introduction
- Overview
- Getting Started
- Support for K8s Installers
- Deploying on Kind
- Deploying on Minikube
- Configuration
Cloud Deployment
Reference
- Antrea Network Policy
- Antctl
- Architecture
- Traffic Encryption (Ipsec / WireGuard)
- Securing Control Plane
- Security considerations
- Troubleshooting
- OS-specific Known Issues
- OVS Pipeline
- Feature Gates
- Network Flow Visibility
- Traceflow Guide
- NoEncap and Hybrid Traffic Modes
- Egress Guide
- NodePortLocal Guide
- Antrea IPAM Guide
- Exposing Services of type LoadBalancer
- Versioning
- Antrea API Groups
- Antrea API Reference
Windows
Integrations
Cookbooks
Multicluster
Developer Guide
Project Information
Manual Installation
Overview
There are four components which need to be deployed in order to run Antrea:
-
The OpenVSwitch daemons
ovs-vswitchd
andovsdb-server
-
The controller
antrea-controller
-
The agent
antrea-agent
-
The CNI plugin
antrea-cni
Instructions
Prior to bringing up the individual components, follow the common steps:
-
Ensure Go v1.15 is installed
-
Git clone your forked Antrea repository and
cd
into theantrea
directorygit clone https://github.com/$user/antrea cd antrea
-
Build the binaries for all components under
bin
directorymake bin
OpenVSwitch
Open vSwitch >= 2.8.0 userspace daemon ovs-vswitchd
and ovsdb-server
should run on all worker nodes. See
Installing Open vSwitch for details.
antrea-controller
antrea-controller
is required to implement Kubernetes Network Policies. At any time, there should be only a single
active replica of antrea-controller
.
-
Grant the
antrea-controller
ServiceAccount necessary permissions to Kubernetes APIs. You can apply controller-rbac.yaml to do it.kubectl apply -f build/yamls/base/controller-rbac.yml
-
Create the kubeconfig file that contains the K8s APIServer endpoint and the token of ServiceAccount created in the above step. See Configure Access to Multiple Clusters for more information.
APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}') TOKEN=$(kubectl get secrets -n kube-system -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='antrea-controller')].data.token}"|base64 --decode) kubectl config --kubeconfig=antrea-controller.kubeconfig set-cluster kubernetes --server=$APISERVER --insecure-skip-tls-verify kubectl config --kubeconfig=antrea-controller.kubeconfig set-credentials antrea-controller --token=$TOKEN kubectl config --kubeconfig=antrea-controller.kubeconfig set-context antrea-controller@kubernetes --cluster=kubernetes --user=antrea-controller kubectl config --kubeconfig=antrea-controller.kubeconfig use-context antrea-controller@kubernetes
-
Create the
antrea-controller
config file, see Configuration for details.cat >antrea-controller.conf <<EOF clientConnection: kubeconfig: antrea-controller.kubeconfig EOF
-
Start
antrea-controller
.bin/antrea-controller --config antrea-controller.conf
antrea-agent
antrea-agent
must run all worker nodes.
-
Grant the
antrea-agent
ServiceAccount necessary permissions to Kubernetes APIs. You can apply agent-rbac.yaml to do it.kubectl apply -f build/yamls/base/agent-rbac.yml
-
Create the kubeconfig file that contains the K8s APIServer endpoint and the token of ServiceAccount created in the above step. See Configure Access to Multiple Clusters for more information.
APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}') TOKEN=$(kubectl get secrets -n kube-system -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='antrea-agent')].data.token}"|base64 --decode) kubectl config --kubeconfig=antrea-agent.kubeconfig set-cluster kubernetes --server=$APISERVER --insecure-skip-tls-verify kubectl config --kubeconfig=antrea-agent.kubeconfig set-credentials antrea-agent --token=$TOKEN kubectl config --kubeconfig=antrea-agent.kubeconfig set-context antrea-agent@kubernetes --cluster=kubernetes --user=antrea-agent kubectl config --kubeconfig=antrea-agent.kubeconfig use-context antrea-agent@kubernetes
-
Create the kubeconfig file that contains the
antrea-controller
APIServer endpoint and the token of ServiceAccount created in the above step.# Change it to the correct endpoint if you are running antrea-controller somewhere else. ANTREA_APISERVER=https://localhost TOKEN=$(kubectl get secrets -n kube-system -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='antrea-agent')].data.token}"|base64 --decode) kubectl config --kubeconfig=antrea-agent.antrea.kubeconfig set-cluster antrea --server=$ANTREA_APISERVER --insecure-skip-tls-verify kubectl config --kubeconfig=antrea-agent.antrea.kubeconfig set-credentials antrea-agent --token=$TOKEN kubectl config --kubeconfig=antrea-agent.antrea.kubeconfig set-context antrea-agent@antrea --cluster=antrea --user=antrea-agent kubectl config --kubeconfig=antrea-agent.antrea.kubeconfig use-context antrea-agent@antrea
-
Create the
antrea-agent
config file, see Configuration for details.cat >antrea-agent.conf <<EOF clientConnection: kubeconfig: antrea-agent.kubeconfig antreaClientConnection: kubeconfig: antrea-agent.antrea.kubeconfig hostProcPathPrefix: "/" EOF
-
Start
antrea-agent
.bin/antrea-agent --config antrea-agent.conf
antrea-cni
antrea-cni
should be installed on all worker nodes.
-
Create the cni config file on all worker nodes.
mkdir -p /etc/cni/net.d cat >/etc/cni/net.d/10-antrea.conflist <<EOF { "cniVersion":"0.3.0", "name": "antrea", "plugins": [ { "type": "antrea", "ipam": { "type": "host-local" } }, { "type": "portmap", "capabilities": {"portMappings": true} }, { "type": "bandwidth", "capabilities": {"bandwidth": true} } ] } EOF
-
Install
antrea-cni
to/opt/cni/bin/antrea
.cp bin/antrea-cni /opt/cni/bin/antrea