Azure
/
aks-engine
зеркало из https://github.com/Azure/aks-engine.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

feat: Antrea plugin support in AKS Engine (#2407) 

* Antrea plugin support in AKS Engine

* chore: clean up

* chore: use ContainerImage

* chore: generated code

* refactor: Updating antrea yaml to 0.2.0

Co-authored-by: Jack Francis <jackfrancis@gmail.com>
This commit is contained in:
Rahul Jain 2019-12-20 10:03:40 -08:00 коммит произвёл Azure Kubernetes Service Bot
Родитель 362756c4b8
Коммит 02e3076a68
49 изменённых файлов: 1666 добавлений и 4298 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

5
cmd/generate_test.go
Просмотреть файл

@ -645,6 +645,11 @@ func TestExampleAPIModels(t *testing.T) {
apiModelPath: "../examples/networkpolicy/kubernetes-cilium.json",
setArgs: defaultSet,
},
{
name: "antrea network policy",
apiModelPath: "../examples/networkpolicy/kubernetes-antrea.json",
setArgs: defaultSet,
},
{
name: "istio",
apiModelPath: "../examples/service-mesh/istio.json",

4
docs/topics/clusterdefinitions.md
Просмотреть файл

@ -61,8 +61,8 @@ $ aks-engine get-versions
| kubeletConfig | no | Configure various runtime configuration for kubelet. See `kubeletConfig` [below](#feat-kubelet-config) |
| kubernetesImageBase | no | Specifies the default image base URL (everything preceding the actual image filename) to be used for all kubernetes-related containers such as hyperkube, cloud-controller-manager, pause, addon-manager, heapster, exechealthz etc. e.g., `k8s.gcr.io/` |
| loadBalancerSku | no | Sku of Load Balancer and Public IP. Candidate values are: `basic` and `standard`. If not set, it will be default to basic. Requires Kubernetes 1.11 or newer. NOTE: VMs behind standard SKU load balancer will not be able to access the internet without an outbound rule configured with at least one frontend IP. We have created a loadbalancer with an outbound rule and with agent nodes added to the backend pool, as described in the [Outbound NAT for internal Standard Load Balancer scenarios doc](https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-rules-overview#outbound-nat-for-internal-standard-load-balancer-scenarios) |
| networkPlugin | no | Specifies the network plugin implementation for the cluster. Valid values are:<br>`"azure"` (default), which provides an Azure native networking experience <br>`"kubenet"` for k8s software networking implementation. <br> `"flannel"` for using CoreOS Flannel <br> `"cilium"` for using the default Cilium CNI IPAM (requires the `"cilium"` networkPolicy as well) |
| networkPolicy | no | Specifies the network policy enforcement tool for the cluster (currently Linux-only). Valid values are:<br>`"calico"` for Calico network policy.<br>`"cilium"` for cilium network policy (uses the `"cilium"` networkPlugin exclusively), and `"azure"` (experimental) for Azure CNI-compliant network policy (note: Azure CNI-compliant network policy requires explicit `"networkPlugin": "azure"` configuration as well).<br>See [network policy examples](../../examples/networkpolicy) for more information. |
| networkPlugin | no | Specifies the network plugin implementation for the cluster. Valid values are:<br>`"azure"` (default), which provides an Azure native networking experience <br>`"kubenet"` for k8s software networking implementation. <br> `"flannel"` for using CoreOS Flannel <br> `"cilium"` for using the default Cilium CNI IPAM (requires the `"cilium"` networkPolicy as well)<br> `"antrea"` for using the Antrea network plugin (requires the `"antrea"` networkPolicy as well) |
| networkPolicy | no | Specifies the network policy enforcement tool for the cluster (currently Linux-only). Valid values are:<br>`"calico"` for Calico network policy.<br>`"cilium"` for cilium network policy (uses the `"cilium"` networkPlugin exclusively).<br> `"antrea"` for Antrea network policy (uses the `"antrea"` networkPlugin exclusively).<br> `"azure"` (experimental) for Azure CNI-compliant network policy (note: Azure CNI-compliant network policy requires explicit `"networkPlugin": "azure"` configuration as well).<br>See [network policy examples](../../examples/networkpolicy) for more information. |
| privateCluster | no | Build a cluster without public addresses assigned. See `privateClusters` [below](#feat-private-cluster). |
| schedulerConfig | no | Configure various runtime configuration for scheduler. See `schedulerConfig` [below](#feat-scheduler-config) |
| serviceCidr | no | IP range for Service IPs, Default is "10.0.0.0/16". This range is never routed outside of a node so does not need to lie within clusterSubnet or the VNET |

34
docs/topics/features.md
Просмотреть файл

@ -5,6 +5,7 @@
|Managed Disks|Beta|`vlabs`|[kubernetes-vmas.json](../../examples/disks-managed/kubernetes-vmas.json)|[Description](#feat-managed-disks)|
|Calico Network Policy|Alpha|`vlabs`|[kubernetes-calico.json](../../examples/networkpolicy/kubernetes-calico-azure.json)|[Description](#feat-calico)|
|Cilium Network Policy|Alpha|`vlabs`|[kubernetes-cilium.json](../../examples/networkpolicy/kubernetes-cilium.json)|[Description](#feat-cilium)|
|Antrea Network Policy|Alpha|`vlabs`|[kubernetes-antrea.json](../../examples/networkpolicy/kubernetes-antrea.json)|[Description](#feat-antrea)|
|Custom VNET|Beta|`vlabs`|[kubernetesvnet-azure-cni.json](../../examples/vnet/kubernetesvnet-azure-cni.json)|[Description](#feat-custom-vnet)|
|Kata Containers Runtime|Alpha|`vlabs`|[kubernetes-kata-containers.json](../../examples/kubernetes-kata-containers.json)|[Description](#feat-kata-containers)|
|Private Cluster|Alpha|`vlabs`|[kubernetes-private-cluster.json](../../examples/kubernetes-config/kubernetes-private-cluster.json)|[Description](#feat-private-cluster)|
@ -224,6 +225,39 @@ you can define stricter policies. Good resources to get information about that a
- [NetworkPolicy Example Walkthrough](https://kubernetes.io/docs/getting-started-guides/network-policy/walkthrough/)
- [Cilium Kubernetes](https://github.com/Azure/aks-engine/blob/master/examples/networkpolicy)
<a name="feat-antrea"></a>
## Network Policy Enforcement with Antrea
Using the default configuration, Kubernetes allows communication between all
Pods within a cluster. To ensure that Pods can only be accessed by authorized
Pods, a policy enforcement is needed. To enable policy enforcement using Antrea refer to the
[cluster definitions](clusterdefinitions.md#kubernetesconfig)
document under networkPolicy. There is also a reference cluster definition available
[here](https://github.com/Azure/aks-engine/blob/master/examples/networkpolicy/kubernetes-antrea.json).
This will deploy single replica of Antrea controller and Antrea agent to every
instance of the cluster using a Kubernetes DaemonSet. After a successful deployment
you should be able to see these Pods running in your cluster:
```console
kubectl get pods --namespace kube-system -l app=antrea -o wide
NAME READY STATUS RESTARTS AGE IP NODE
antrea-agent-67t9z 2/2 Running 1 7m38s 10.240.0.5 k8s-agentpool1-14956401-vmss000001
antrea-agent-87nm2 2/2 Running 0 11m 10.240.0.4 k8s-agentpool1-14956401-vmss000000
antrea-agent-fhbsg 2/2 Running 0 11m 10.240.0.6 k8s-agentpool1-14956401-vmss000002
antrea-agent-jjhxt 2/2 Running 0 11m 10.240.255.5 k8s-master-14956401-0
antrea-controller-685c8c6f64-zk4jh 1/1 Running 0 11m 10.240.0.4 k8s-agentpool1-14956401-vmss000000
```
Per default Antrea still allows all communication within the cluster. Using Kubernetes' NetworkPolicy API,
you can define stricter policies. Good resources to get information about that are:
- [Antrea Architecture Docs](https://github.com/vmware-tanzu/antrea/blob/master/docs/architecture.md)
- [NetworkPolicy User Guide](https://kubernetes.io/docs/user-guide/networkpolicies/)
- [NetworkPolicy Example Walkthrough](https://kubernetes.io/docs/getting-started-guides/network-policy/walkthrough/)
- [Antrea Kubernetes](https://github.com/Azure/aks-engine/blob/master/examples/networkpolicy)
<a name="feat-custom-vnet"></a>
## Custom VNET

1
docs/tutorials/deploy.md
Просмотреть файл

@ -141,6 +141,7 @@ aks-engine generate --set agentPoolProfiles[0].count=5,agentPoolProfiles[1].name
* To enable the optional network policy enforcement using calico, you have to set the parameter during this step according to this [guide](../topics/features.md#optional-enable-network-policy-enforcement-using-calico)
* To enable the optional network policy enforcement using cilium, you have to set the parameter during this step according to this [guide](../topics/features.md#optional-enable-network-policy-enforcement-using-cilium)
* To enable the optional network policy enforcement using antrea, you have to set the parameter during this step according to this [guide](../topics/features.md#optional-enable-network-policy-enforcement-using-antrea)
**Note**: If the cluster is using an existing VNET please see the [Custom VNET](custom-vnet.md) feature documentation for additional steps that must be completed after cluster provisioning.

1
docs/tutorials/quickstart.md
Просмотреть файл

@ -228,6 +228,7 @@ aks-engine generate --set agentPoolProfiles[0].count=5,agentPoolProfiles[1].name
* To enable the optional network policy enforcement using calico, you have to set the parameter during this step according to this [guide](../topics/features.md#optional-enable-network-policy-enforcement-using-calico)
* To enable the optional network policy enforcement using cilium, you have to set the parameter during this step according to this [guide](../topics/features.md#optional-enable-network-policy-enforcement-using-cilium)
* To enable the optional network policy enforcement using antrea, you have to set the parameter during this step according to this [guide](../topics/features.md#optional-enable-network-policy-enforcement-using-antrea)
Now we can deploy the files `azuredeploy.json` and `azuredeploy.parameters.json` using either the Azure CLI or PowerShell.

5
examples/kubernetes.json
Просмотреть файл

@ -2,7 +2,10 @@
"apiVersion": "vlabs",
"properties": {
"orchestratorProfile": {
"orchestratorType": "Kubernetes"
"orchestratorType": "Kubernetes",
"kubernetesConfig": {
"networkPolicy": "antrea"
}
},
"masterProfile": {
"count": 1,

5
examples/networkplugin/README.md
Просмотреть файл

@ -1,11 +1,12 @@
# AKS Engine - Network Plugin
There are 2 different Network Plugin options :
There are 5 different Network Plugin options :
- Azure Container Networking (default)
- Kubenet
- Flannel (docs are //TODO)
- Cilium (docs are //TODO)
- Cilium (CNI IPAM implementation that pairs w/ cilium NetworkPolicy addon; only works w/ `"networkPolicy": "cilium"`)
- Antrea (CNI IPAM implementation that pairs w/ antrea NetworkPolicy addon; only works w/ `"networkPolicy": "antrea"`)
## Azure Container Networking (default)

20
examples/networkpolicy/README.md
Просмотреть файл

@ -1,9 +1,10 @@
# AKS Engine - Network Policy
There are 2 different Network Policy options :
There are 3 different Network Policy options :
- Calico
- Cilium
- Antrea
## Calico
@ -97,3 +98,20 @@ The kubernetes-cilium deployment template enables Cilium networking and policies
Once the template has been successfully deployed, following the [deploy the demo application](http://cilium.readthedocs.io/en/latest/gettingstarted/minikube/#step-2-deploy-the-demo-application) tutorial will provide a good foundation for how to do L3/4 policy as well as more advanced Layer 7 inspection and routing. If you have [Istio](https://istio.io) you can try this [tutorial](http://cilium.readthedocs.io/en/latest/gettingstarted/istio/) where cilium is used to side by side with Istio to enforce security policies in a Kubernetes deployment.
For the latest documentation on Cilium (including BPF and XDP reference guides), please refer to [this](http://cilium.readthedocs.io/en/latest/)
## Antrea
The kubernetes-antrea deployment template enables Antrea networking and policies for the AKS Engine cluster via `"networkPolicy": "antrea"` or `"networkPlugin": "antrea"` being present inside the `kubernetesConfig`.
```json
"properties": {
"orchestratorProfile": {
"orchestratorType": "Kubernetes",
"kubernetesConfig": {
"networkPolicy": "antrea"
}
```
### Post installation
For the latest documentation on Antrea, please refer to [this](https://github.com/vmware-tanzu/antrea).

39
examples/networkpolicy/kubernetes-antrea.json Normal file
Просмотреть файл

@ -0,0 +1,39 @@
{
"apiVersion": "vlabs",
"properties": {
"orchestratorProfile": {
"orchestratorType": "Kubernetes",
"orchestratorRelease": "1.13",
"kubernetesConfig": {
"networkPolicy": "antrea"
}
},
"masterProfile": {
"count": 1,
"dnsPrefix": "",
"vmSize": "Standard_D2_v3"
},
"agentPoolProfiles": [
{
"name": "agentpool1",
"count": 3,
"vmSize": "Standard_D2_v3",
"availabilityProfile": "AvailabilitySet"
}
],
"linuxProfile": {
"adminUsername": "azureuser",
"ssh": {
"publicKeys": [
{
"keyData": ""
}
]
}
},
"servicePrincipalProfile": {
"clientId": "",
"secret": ""
}
}
}

5
parts/k8s/cloud-init/artifacts/cse_config.sh
Просмотреть файл

@ -312,6 +312,11 @@ ensureKubelet() {
sleep 3
done
{{end}}
{{if HasAntreaNetworkPolicy}}
while [ ! -f /etc/cni/net.d/10-antrea.conf ]; do
sleep 3
done
{{end}}
}
ensureLabelNodes() {

502
parts/k8s/containeraddons/antrea.yaml Normal file
Просмотреть файл

@ -0,0 +1,502 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antreaagentinfos.clusterinformation.crd.antrea.io
spec:
group: clusterinformation.crd.antrea.io
names:
kind: AntreaAgentInfo
plural: antreaagentinfos
shortNames:
- aai
singular: antreaagentinfo
scope: Cluster
versions:
- name: v1beta1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antreacontrollerinfos.clusterinformation.crd.antrea.io
spec:
group: clusterinformation.crd.antrea.io
names:
kind: AntreaControllerInfo
plural: antreacontrollerinfos
shortNames:
- aci
singular: antreacontrollerinfo
scope: Cluster
versions:
- name: v1beta1
served: true
storage: true
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea-agent
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea-controller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea-agent
rules:
- apiGroups:
- ""
resources:
- nodes
- pods
verbs:
- get
- watch
- list
- apiGroups:
- clusterinformation.crd.antrea.io
resources:
- antreaagentinfos
verbs:
- get
- create
- update
- delete
- apiGroups:
- networkpolicy.antrea.io
resources:
- networkpolicies
- appliedtogroups
- addressgroups
verbs:
- get
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea-controller
rules:
- apiGroups:
- ""
resources:
- nodes
- pods
- namespaces
verbs:
- get
- watch
- list
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- watch
- list
- apiGroups:
- clusterinformation.crd.antrea.io
resources:
- antreacontrollerinfos
verbs:
- get
- create
- update
- delete
- apiGroups:
- clusterinformation.crd.antrea.io
resources:
- antreaagentinfos
verbs:
- list
- delete
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea-controller-authentication-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: antrea-controller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea-agent
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: antrea-agent
subjects:
- kind: ServiceAccount
name: antrea-agent
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: antrea-controller
subjects:
- kind: ServiceAccount
name: antrea-controller
namespace: kube-system
---
apiVersion: v1
data:
antrea-agent.conf: |
# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
#ovsBridge: br-int
# Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
# - system
# - netdev
# 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
# OVS in userspace mode. Userspace mode requires the tun device driver to be available.
#ovsDatapathType: system
# Name of the interface antrea-agent will create and use for host <--> pod communication.
# Make sure it doesn't conflict with your existing interfaces.
#hostGateway: gw0
# Encapsulation mode for communication between Pods across Nodes, supported values:
# - vxlan (default)
# - geneve
# - gre
# - stt
#tunnelType: vxlan
# Default MTU to use for the host gateway interface and the network interface of each Pod. If
# omitted, antrea-agent will default this value to 1450 to accomodate for tunnel encapsulate
# overhead.
#defaultMTU: 1450
# CIDR Range for services in cluster. It's required to support egress network policy, should
# be set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver.
serviceCIDR: {{ContainerConfig "serviceCidr"}}
antrea-cni.conf: |
{
"cniVersion":"0.3.0",
"name": "antrea",
"type": "antrea",
"ipam": {
"type": "host-local"
}
}
antrea-controller.conf: ""
kind: ConfigMap
metadata:
annotations: {}
labels:
app: antrea
addonmanager.kubernetes.io/mode: "EnsureExists"
name: antrea-config-48gttf992h
namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea
namespace: kube-system
spec:
ports:
- port: 443
protocol: TCP
targetPort: 443
selector:
app: antrea
component: antrea-controller
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: antrea
component: antrea-controller
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea-controller
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: antrea
component: antrea-controller
strategy:
type: Recreate
template:
metadata:
labels:
app: antrea
component: antrea-controller
spec:
containers:
- args:
- --config
- /etc/antrea/antrea-controller.conf
command:
- antrea-controller
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: {{ContainerImage "antrea-controller"}}
name: antrea-controller
ports:
- containerPort: 443
protocol: TCP
volumeMounts:
- mountPath: /etc/antrea/antrea-controller.conf
name: antrea-config
readOnly: true
subPath: antrea-controller.conf
hostNetwork: true
nodeSelector:
beta.kubernetes.io/os: linux
priorityClassName: system-cluster-critical
serviceAccountName: antrea-controller
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-48gttf992h
name: antrea-config
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app: antrea
component: antrea-agent
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea-agent
namespace: kube-system
spec:
selector:
matchLabels:
app: antrea
component: antrea-agent
template:
metadata:
labels:
app: antrea
component: antrea-agent
spec:
containers:
- args:
- --config
- /etc/antrea/antrea-agent.conf
command:
- antrea-agent
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: {{ContainerImage "antrea-agent"}}
livenessProbe:
exec:
command:
- /bin/sh
- -c
- container_liveness_probe agent
failureThreshold: 5
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
name: antrea-agent
securityContext:
privileged: true
volumeMounts:
- mountPath: /etc/antrea/antrea-agent.conf
name: antrea-config
readOnly: true
subPath: antrea-agent.conf
- mountPath: /var/run/antrea
name: host-var-run-antrea
- mountPath: /var/run/openvswitch
name: host-var-run-antrea
subPath: openvswitch
- mountPath: /var/lib/cni
name: host-var-run-antrea
subPath: cni
- mountPath: /host/proc
name: host-proc
readOnly: true
- mountPath: /host/var/run/netns
mountPropagation: HostToContainer
name: host-var-run-netns
readOnly: true
- command:
- start_ovs
image: {{ContainerImage "antrea-ovs"}}
livenessProbe:
exec:
command:
- /bin/sh
- -c
- timeout 5 container_liveness_probe ovs
initialDelaySeconds: 5
periodSeconds: 5
name: antrea-ovs
securityContext:
capabilities:
add:
- SYS_NICE
- NET_ADMIN
- SYS_ADMIN
- IPC_LOCK
volumeMounts:
- mountPath: /var/run/openvswitch
name: host-var-run-antrea
subPath: openvswitch
- mountPath: /var/log/openvswitch
name: host-var-log-antrea
subPath: openvswitch
hostNetwork: true
initContainers:
- command:
- install_cni
image: {{ContainerImage "install-cni"}}
name: install-cni
securityContext:
capabilities:
add:
- SYS_MODULE
volumeMounts:
- mountPath: /etc/antrea/antrea-cni.conf
name: antrea-config
readOnly: true
subPath: antrea-cni.conf
- mountPath: /host/etc/cni/net.d
name: host-cni-conf
- mountPath: /host/opt/cni/bin
name: host-cni-bin
- mountPath: /lib/modules
name: host-lib-modules
readOnly: true
- mountPath: /sbin/depmod
name: host-depmod
readOnly: true
nodeSelector:
beta.kubernetes.io/os: linux
priorityClassName: system-node-critical
serviceAccountName: antrea-agent
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
operator: Exists
volumes:
- configMap:
name: antrea-config-48gttf992h
name: antrea-config
- hostPath:
path: /etc/cni/net.d
name: host-cni-conf
- hostPath:
path: /opt/cni/bin
name: host-cni-bin
- hostPath:
path: /proc
name: host-proc
- hostPath:
path: /var/run/netns
name: host-var-run-netns
- hostPath:
path: /var/run/antrea
type: DirectoryOrCreate
name: host-var-run-antrea
- hostPath:
path: /var/log/antrea
type: DirectoryOrCreate
name: host-var-log-antrea
- hostPath:
path: /lib/modules
name: host-lib-modules
- hostPath:
path: /sbin/depmod
name: host-depmod
updateStrategy:
type: RollingUpdate

10
parts/k8s/kubernetesparams.t
Просмотреть файл

@ -271,27 +271,29 @@
"networkPolicy": {
"defaultValue": "{{.OrchestratorProfile.KubernetesConfig.NetworkPolicy}}",
"metadata": {
"description": "The network policy enforcement to use (calico|cilium); 'none' and 'azure' here for backwards compatibility"
"description": "The network policy enforcement to use (calico|cilium|antrea); 'none' and 'azure' here for backwards compatibility"
},
"allowedValues": [
"",
"none",
"azure",
"calico",
"cilium"
"cilium",
"antrea"
],
"type": "string"
},
"networkPlugin": {
"defaultValue": "{{.OrchestratorProfile.KubernetesConfig.NetworkPlugin}}",
"metadata": {
"description": "The network plugin to use for Kubernetes (kubenet|azure|flannel|cilium)"
"description": "The network plugin to use for Kubernetes (kubenet|azure|flannel|cilium|antrea)"
},
"allowedValues": [
"kubenet",
"azure",
"flannel",
"cilium"
"cilium",
"antrea"
],
"type": "string"
},

33
pkg/api/addons.go
Просмотреть файл

@ -279,8 +279,10 @@ func (cs *ContainerService) setAddonsConfig(isUpgrade bool) {
}
defaultIPMasqAgentAddonsConfig := KubernetesAddon{
Name: common.IPMASQAgentAddonName,
Enabled: to.BoolPtr(DefaultIPMasqAgentAddonEnabled && o.KubernetesConfig.NetworkPlugin != NetworkPluginCilium),
Name: common.IPMASQAgentAddonName,
Enabled: to.BoolPtr(DefaultIPMasqAgentAddonEnabled &&
(o.KubernetesConfig.NetworkPlugin != NetworkPluginCilium &&
o.KubernetesConfig.NetworkPlugin != NetworkPluginAntrea)),
Containers: []KubernetesContainerSpec{
{
Name: common.IPMASQAgentAddonName,
@ -398,6 +400,32 @@ func (cs *ContainerService) setAddonsConfig(isUpgrade bool) {
},
}
defaultsAntreaDaemonSetAddonsConfig := KubernetesAddon{
Name: common.AntreaAddonName,
Enabled: to.BoolPtr(o.KubernetesConfig.NetworkPlugin == NetworkPluginAntrea),
Config: map[string]string{
"serviceCidr": o.KubernetesConfig.ServiceCIDR,
},
Containers: []KubernetesContainerSpec{
{
Name: common.AntreaControllerContainerName,
Image: k8sComponents[common.AntreaControllerContainerName],
},
{
Name: common.AntreaAgentContainerName,
Image: k8sComponents[common.AntreaAgentContainerName],
},
{
Name: common.AntreaOVSContainerName,
Image: k8sComponents[common.AntreaOVSContainerName],
},
{
Name: common.AntreaInstallCNIContainerName,
Image: k8sComponents[common.AntreaInstallCNIContainerName],
},
},
}
defaultsAADPodIdentityAddonsConfig := KubernetesAddon{
Name: common.AADPodIdentityAddonName,
Enabled: to.BoolPtr(DefaultAADPodIdentityAddonEnabled && !cs.Properties.IsAzureStackCloud()),
@ -652,6 +680,7 @@ func (cs *ContainerService) setAddonsConfig(isUpgrade bool) {
defaultKubeProxyAddonsConfig,
defaultPodSecurityPolicyAddonsConfig,
defaultAADDefaultAdminGroupAddonsConfig,
defaultsAntreaDaemonSetAddonsConfig,
}
// Add default addons specification, if no user-provided spec exists
if o.KubernetesConfig.Addons == nil {

29
pkg/api/addons_test.go
Просмотреть файл

@ -2930,6 +2930,35 @@ func TestSetAddonsConfig(t *testing.T) {
},
}, "1.15.4"),
},
{
name: "antrea addon enabled",
cs: &ContainerService{
Properties: &Properties{
OrchestratorProfile: &OrchestratorProfile{
OrchestratorVersion: "1.15.4",
KubernetesConfig: &KubernetesConfig{
DNSServiceIP: DefaultKubernetesDNSServiceIP,
KubeletConfig: map[string]string{
"--cluster-domain": "cluster.local",
},
ClusterSubnet: DefaultKubernetesSubnet,
ProxyMode: KubeProxyModeIPTables,
NetworkPlugin: NetworkPluginAzure,
},
},
},
},
isUpgrade: false,
expectedAddons: concatenateDefaultAddons([]KubernetesAddon{
{
Name: common.AntreaAddonName,
Enabled: to.BoolPtr(true),
Config: map[string]string{
"serviceCidr": DefaultKubernetesServiceCIDR,
},
},
}, "1.15.4"),
},
}
for _, test := range tests {

10
pkg/api/common/const.go
Просмотреть файл

@ -164,6 +164,14 @@ const (
CiliumOperatorContainerName = "cilium-operator"
// CiliumEtcdOperatorContainerName is the name of the cilium-etcd-operator container in the cilium addon
CiliumEtcdOperatorContainerName = "cilium-etcd-operator"
// AntreaControllerContainerName is the name of the antrea-controller container in the antrea addon
AntreaControllerContainerName = "antrea-controller"
// AntreaAgentContainerName is the name of the antrea-agent container in the antrea addon
AntreaAgentContainerName = "antrea-agent"
// AntreaOVSContainerName is the name of the antrea-ovs container in the antrea addon
AntreaOVSContainerName = "antrea-ovs"
// AntreaInstallCNIContainerName is the name of the install-cni container in the antrea addon
AntreaInstallCNIContainerName = "install-cni"
// GatekeeperContainerName is the name of the gatekeeper container in the azure-policy addon
GatekeeperContainerName = "gatekeeper"
// CloudNodeManagerAddonName is the name of the cloud node manager addon
@ -206,6 +214,8 @@ const (
KubeProxyAddonName = "kube-proxy"
// CiliumAddonName is the name of cilium daemonset addon
CiliumAddonName = "cilium"
// AntreaAddonName is the name of antrea daemonset addon
AntreaAddonName = "antrea"
// FlannelAddonName is the name of flannel plugin daemonset addon
FlannelAddonName = "flannel-daemonset"
// AADAdminGroupAddonName is the name of the default admin group RBAC addon

4
pkg/api/const.go
Просмотреть файл

@ -355,6 +355,10 @@ const (
NetworkPluginCilium = NetworkPolicyCilium
// NetworkPluginFlannel is the string expression for flannel network policy config option
NetworkPluginFlannel = "flannel"
// NetworkPluginAntrea is the string expression for antrea network plugin config option
NetworkPluginAntrea = "antrea"
// NetworkPolicyAntrea is the string expression for antrea network policy config option
NetworkPolicyAntrea = NetworkPluginAntrea
// DefaultNetworkPlugin defines the network plugin to use by default
DefaultNetworkPlugin = NetworkPluginKubenet
// DefaultNetworkPolicy defines the network policy implementation to use by default

13
pkg/api/convertertoapi_test.go
Просмотреть файл

@ -1047,6 +1047,19 @@ func TestSetVlabsKubernetesDefaults(t *testing.T) {
expectedNetworkPlugin: "",
expectedNetworkPolicy: "cilium",
},
{
name: "antrea networkPlugin",
p: &vlabs.Properties{
OrchestratorProfile: &vlabs.OrchestratorProfile{
KubernetesConfig: &vlabs.KubernetesConfig{
NetworkPlugin: "",
NetworkPolicy: "antrea",
},
},
},
expectedNetworkPlugin: "",
expectedNetworkPolicy: "antrea",
},
}
for _, test := range tests {

2
pkg/api/defaults.go
Просмотреть файл

@ -118,6 +118,8 @@ func (cs *ContainerService) setOrchestratorDefaults(isUpgrade, isScale bool) {
}
case NetworkPolicyCilium:
o.KubernetesConfig.NetworkPlugin = NetworkPluginCilium
case NetworkPolicyAntrea:
o.KubernetesConfig.NetworkPlugin = NetworkPluginAntrea
}
if o.KubernetesConfig.KubernetesImageBase == "" {

14
pkg/api/defaults_test.go
Просмотреть файл

@ -222,6 +222,7 @@ func TestAssignDefaultAddonImages(t *testing.T) {
common.KubeDNSAddonName: specConfig.KubernetesImageBase + k8sComponents[common.KubeDNSAddonName],
common.CoreDNSAddonName: specConfig.KubernetesImageBase + k8sComponents[common.CoreDNSAddonName],
common.KubeProxyAddonName: specConfig.KubernetesImageBase + k8sComponents[common.KubeProxyAddonName],
common.AntreaAddonName: k8sComponents[common.AntreaControllerContainerName],
}
customAddonImages := make(map[string]string)
@ -290,6 +291,9 @@ func getFakeAddons(defaultAddonMap map[string]string, customImage string) []Kube
if addonName == common.KubeDNSAddonName {
containerName = "kubedns"
}
if addonName == common.AntreaAddonName {
containerName = common.AntreaControllerContainerName
}
customAddon := KubernetesAddon{
Name: addonName,
Enabled: to.BoolPtr(true),
@ -835,6 +839,16 @@ func TestNetworkPolicyDefaults(t *testing.T) {
properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin, NetworkPluginCilium)
}
mockCS = getMockBaseContainerService("1.15.7")
properties = mockCS.Properties
properties.OrchestratorProfile.OrchestratorType = Kubernetes
properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy = NetworkPolicyAntrea
mockCS.setOrchestratorDefaults(true, true)
if properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin != NetworkPluginAntrea {
t.Fatalf("NetworkPlugin did not have the expected value, got %s, expected %s",
properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin, NetworkPluginAntrea)
}
mockCS = getMockBaseContainerService("1.8.10")
properties = mockCS.Properties
properties.OrchestratorProfile.OrchestratorType = Kubernetes

44
pkg/api/k8s_versions.go
Просмотреть файл

@ -39,6 +39,10 @@ const (
ciliumCleanStateImageReference string = "docker.io/cilium/cilium-init:2018-10-16"
ciliumOperatorImageReference string = "docker.io/cilium/operator:v1.4"
ciliumEtcdOperatorImageReference string = "docker.io/cilium/cilium-etcd-operator:v2.0.5"
antreaControllerImageReference string = "antrea/antrea-ubuntu:v0.2.0"
antreaAgentImageReference = antreaControllerImageReference
antreaOVSImageReference = antreaControllerImageReference
antreaInstallCNIImageReference = antreaControllerImageReference
azureNPMContainerImageReference string = "mcr.microsoft.com/containernetworking/azure-npm:v1.0.30"
aadPodIdentityNMIImageReference string = "mcr.microsoft.com/k8s/aad-pod-identity/nmi:1.2"
aadPodIdentityMICImageReference string = "mcr.microsoft.com/k8s/aad-pod-identity/mic:1.2"
@ -250,6 +254,10 @@ func getK8sVersionComponents(version string, overrides map[string]string) map[st
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,
@ -317,6 +325,10 @@ func getK8sVersionComponents(version string, overrides map[string]string) map[st
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,
@ -383,6 +395,10 @@ func getK8sVersionComponents(version string, overrides map[string]string) map[st
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,
@ -449,6 +465,10 @@ func getK8sVersionComponents(version string, overrides map[string]string) map[st
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,
@ -515,6 +535,10 @@ func getK8sVersionComponents(version string, overrides map[string]string) map[st
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,
@ -581,6 +605,10 @@ func getK8sVersionComponents(version string, overrides map[string]string) map[st
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,
@ -646,6 +674,10 @@ func getK8sVersionComponents(version string, overrides map[string]string) map[st
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,
@ -711,6 +743,10 @@ func getK8sVersionComponents(version string, overrides map[string]string) map[st
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,
@ -776,6 +812,10 @@ func getK8sVersionComponents(version string, overrides map[string]string) map[st
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,
@ -838,6 +878,10 @@ func getK8sVersionComponents(version string, overrides map[string]string) map[st
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,

44
pkg/api/k8s_versions_test.go
Просмотреть файл

@ -59,6 +59,10 @@ func TestGetK8sVersionComponents(t *testing.T) {
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,
@ -139,6 +143,10 @@ func TestGetK8sVersionComponents(t *testing.T) {
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,
@ -212,6 +220,10 @@ func TestGetK8sVersionComponents(t *testing.T) {
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,
@ -284,6 +296,10 @@ func TestGetK8sVersionComponents(t *testing.T) {
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,
@ -356,6 +372,10 @@ func TestGetK8sVersionComponents(t *testing.T) {
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,
@ -421,6 +441,10 @@ func TestGetK8sVersionComponents(t *testing.T) {
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,
@ -492,6 +516,10 @@ func TestGetK8sVersionComponents(t *testing.T) {
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,
@ -563,6 +591,10 @@ func TestGetK8sVersionComponents(t *testing.T) {
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,
@ -633,6 +665,10 @@ func TestGetK8sVersionComponents(t *testing.T) {
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,
@ -701,6 +737,10 @@ func TestGetK8sVersionComponents(t *testing.T) {
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,
@ -809,6 +849,10 @@ func TestGetK8sVersionComponents(t *testing.T) {
common.CiliumCleanStateContainerName: ciliumCleanStateImageReference,
common.CiliumOperatorContainerName: ciliumOperatorImageReference,
common.CiliumEtcdOperatorContainerName: ciliumEtcdOperatorImageReference,
common.AntreaControllerContainerName: antreaControllerImageReference,
common.AntreaAgentContainerName: antreaAgentImageReference,
common.AntreaOVSContainerName: antreaOVSImageReference,
common.AntreaInstallCNIContainerName: antreaInstallCNIImageReference,
common.NMIContainerName: aadPodIdentityNMIImageReference,
common.MICContainerName: aadPodIdentityMICImageReference,
common.AzurePolicyAddonName: azurePolicyImageReference,

5
pkg/api/types.go
Просмотреть файл

@ -1698,7 +1698,10 @@ func (o *OrchestratorProfile) IsAzureCNI() bool {
func (o *OrchestratorProfile) RequireRouteTable() bool {
switch o.OrchestratorType {
case Kubernetes:
if o.IsAzureCNI() || NetworkPolicyCilium == o.KubernetesConfig.NetworkPolicy || "flannel" == o.KubernetesConfig.NetworkPlugin {
if o.IsAzureCNI() ||
NetworkPolicyCilium == o.KubernetesConfig.NetworkPolicy ||
"flannel" == o.KubernetesConfig.NetworkPlugin ||
NetworkPluginAntrea == o.KubernetesConfig.NetworkPlugin {
return false
}
return true

11
pkg/api/types_test.go
Просмотреть файл

@ -2845,6 +2845,17 @@ func TestRequireRouteTable(t *testing.T) {
},
expected: false,
},
{
p: Properties{
OrchestratorProfile: &OrchestratorProfile{
OrchestratorType: Kubernetes,
KubernetesConfig: &KubernetesConfig{
NetworkPlugin: NetworkPolicyAntrea,
},
},
},
expected: false,
},
}
for _, c := range cases {

8
pkg/api/vlabs/const.go
Просмотреть файл

@ -89,11 +89,11 @@ const (
var (
// NetworkPluginValues holds the valid values for network plugin implementation
NetworkPluginValues = [...]string{"", "kubenet", "azure", NetworkPluginCilium, "flannel"}
NetworkPluginValues = [...]string{"", "kubenet", "azure", NetworkPluginCilium, NetworkPluginAntrea, "flannel"}
// NetworkPolicyValues holds the valid values for a network policy
// "azure" and "none" are there for backwards-compatibility
NetworkPolicyValues = [...]string{"", "calico", NetworkPolicyCilium, "azure", "none"}
NetworkPolicyValues = [...]string{"", "calico", NetworkPolicyCilium, NetworkPolicyAntrea, "azure", "none"}
// ContainerRuntimeValues holds the valid values for container runtimes
ContainerRuntimeValues = [...]string{"", Docker, KataContainers, Containerd}
@ -126,6 +126,10 @@ const (
NetworkPolicyCilium = "cilium"
// NetworkPluginCilium is the string expression for cilium network policy config option
NetworkPluginCilium = NetworkPolicyCilium
// NetworkPolicyAntrea is the string expression for antrea network policy config option
NetworkPolicyAntrea = "antrea"
// NetworkPluginAntrea is the string expression for antrea network plugin config option
NetworkPluginAntrea = NetworkPolicyAntrea
// NetworkModeBridge is the string expression for bridge network mode config option
NetworkModeBridge = "bridge"
// NetworkModeTransparent is the string expression for transparent network mode config option

24
pkg/api/vlabs/validate.go
Просмотреть файл

@ -77,6 +77,14 @@ var (
networkPlugin: "",
networkPolicy: NetworkPolicyCilium,
},
{
networkPlugin: NetworkPluginAntrea,
networkPolicy: NetworkPolicyAntrea,
},
{
networkPlugin: "",
networkPolicy: NetworkPolicyAntrea,
},
{
networkPlugin: "",
networkPolicy: "azure", // for backwards-compatibility w/ prior networkPolicy usage
@ -720,6 +728,10 @@ func (a *Properties) validateAddons() error {
} else {
return errors.Errorf("%s addon is not supported on Kubernetes v1.16.0 or greater", common.CiliumAddonName)
}
case common.AntreaAddonName:
if a.OrchestratorProfile.KubernetesConfig.NetworkPolicy != NetworkPolicyAntrea {
return errors.Errorf("%s addon may only be enabled if the networkPolicy=%s", common.AntreaAddonName, NetworkPolicyAntrea)
}
case "azure-policy":
isValidVersion, err := common.IsValidMinVersion(a.OrchestratorProfile.OrchestratorType, a.OrchestratorProfile.OrchestratorRelease, a.OrchestratorProfile.OrchestratorVersion, "1.10.0")
if err != nil {
@ -1408,7 +1420,7 @@ func (k *KubernetesConfig) Validate(k8sVersion string, hasWindows, ipv6DualStack
}
}
if e := k.validateNetworkPlugin(); e != nil {
if e := k.validateNetworkPlugin(hasWindows); e != nil {
return e
}
if e := k.validateNetworkPolicy(k8sVersion, hasWindows); e != nil {
@ -1423,7 +1435,7 @@ func (k *KubernetesConfig) Validate(k8sVersion string, hasWindows, ipv6DualStack
return nil
}
func (k *KubernetesConfig) validateNetworkPlugin() error {
func (k *KubernetesConfig) validateNetworkPlugin(hasWindows bool) error {
networkPlugin := k.NetworkPlugin
@ -1439,6 +1451,11 @@ func (k *KubernetesConfig) validateNetworkPlugin() error {
return errors.Errorf("unknown networkPlugin '%s' specified", networkPlugin)
}
// Temporary safety check, to be removed when Windows support is added.
if (networkPlugin == NetworkPluginAntrea) && hasWindows {
return errors.Errorf("networkPlugin '%s' is not supporting windows agents", networkPlugin)
}
return nil
}
@ -1464,7 +1481,8 @@ func (k *KubernetesConfig) validateNetworkPolicy(k8sVersion string, hasWindows b
}
// Temporary safety check, to be removed when Windows support is added.
if (networkPolicy == "calico" || networkPolicy == NetworkPolicyCilium || networkPolicy == "flannel") && hasWindows {
if (networkPolicy == "calico" || networkPolicy == NetworkPolicyCilium ||
networkPolicy == "flannel" || networkPolicy == NetworkPolicyAntrea) && hasWindows {
return errors.Errorf("networkPolicy '%s' is not supporting windows agents", networkPolicy)
}

105
pkg/api/vlabs/validate_test.go
Просмотреть файл

@ -887,6 +887,13 @@ func Test_Properties_ValidateNetworkPolicy(t *testing.T) {
)
}
p.OrchestratorProfile.KubernetesConfig.NetworkPolicy = NetworkPolicyAntrea
if err := p.OrchestratorProfile.KubernetesConfig.validateNetworkPolicy(k8sVersion, true); err == nil {
t.Errorf(
"should error on antrea for windows clusters",
)
}
p.OrchestratorProfile.KubernetesConfig.NetworkPolicy = "flannel"
if err := p.OrchestratorProfile.KubernetesConfig.validateNetworkPolicy(k8sVersion, true); err == nil {
t.Errorf(
@ -903,7 +910,7 @@ func Test_Properties_ValidateNetworkPlugin(t *testing.T) {
for _, policy := range NetworkPluginValues {
p.OrchestratorProfile.KubernetesConfig = &KubernetesConfig{}
p.OrchestratorProfile.KubernetesConfig.NetworkPlugin = policy
if err := p.OrchestratorProfile.KubernetesConfig.validateNetworkPlugin(); err != nil {
if err := p.OrchestratorProfile.KubernetesConfig.validateNetworkPlugin(false); err != nil {
t.Errorf(
"should not error on networkPolicy=\"%s\"",
policy,
@ -912,11 +919,18 @@ func Test_Properties_ValidateNetworkPlugin(t *testing.T) {
}
p.OrchestratorProfile.KubernetesConfig.NetworkPlugin = "not-existing"
if err := p.OrchestratorProfile.KubernetesConfig.validateNetworkPlugin(); err == nil {
if err := p.OrchestratorProfile.KubernetesConfig.validateNetworkPlugin(false); err == nil {
t.Errorf(
"should error on invalid networkPlugin",
)
}
p.OrchestratorProfile.KubernetesConfig.NetworkPlugin = NetworkPluginAntrea
if err := p.OrchestratorProfile.KubernetesConfig.validateNetworkPlugin(true); err == nil {
t.Errorf(
"should error on antrea for windows clusters",
)
}
}
func Test_Properties_ValidateNetworkPluginPlusPolicy(t *testing.T) {
@ -1546,7 +1560,7 @@ func TestValidateAddons(t *testing.T) {
expectedErr: errors.Errorf("%s addon may only be enabled if the networkPolicy=%s", common.CiliumAddonName, NetworkPolicyCilium),
},
{
name: "cilium addon enabled w/ azure networkPolicy",
name: "cilium addon enabled w/ calico networkPolicy",
p: &Properties{
OrchestratorProfile: &OrchestratorProfile{
KubernetesConfig: &KubernetesConfig{
@ -1615,6 +1629,91 @@ func TestValidateAddons(t *testing.T) {
},
expectedErr: errors.Errorf("%s addon is not supported on Kubernetes v1.16.0 or greater", common.CiliumAddonName),
},
{
name: "antrea addon enabled w/ no networkPolicy",
p: &Properties{
OrchestratorProfile: &OrchestratorProfile{
KubernetesConfig: &KubernetesConfig{
Addons: []KubernetesAddon{
{
Name: common.AntreaAddonName,
Enabled: to.BoolPtr(true),
},
},
},
},
},
expectedErr: errors.Errorf("%s addon may only be enabled if the networkPolicy=%s", common.AntreaAddonName, NetworkPolicyAntrea),
},
{
name: "antrea addon enabled w/ azure networkPolicy",
p: &Properties{
OrchestratorProfile: &OrchestratorProfile{
KubernetesConfig: &KubernetesConfig{
NetworkPolicy: "azure",
Addons: []KubernetesAddon{
{
Name: common.AntreaAddonName,
Enabled: to.BoolPtr(true),
},
},
},
},
},
expectedErr: errors.Errorf("%s addon may only be enabled if the networkPolicy=%s", common.AntreaAddonName, NetworkPolicyAntrea),
},
{
name: "antrea addon enabled w/ calico networkPolicy",
p: &Properties{
OrchestratorProfile: &OrchestratorProfile{
KubernetesConfig: &KubernetesConfig{
NetworkPolicy: "calico",
Addons: []KubernetesAddon{
{
Name: common.AntreaAddonName,
Enabled: to.BoolPtr(true),
},
},
},
},
},
expectedErr: errors.Errorf("%s addon may only be enabled if the networkPolicy=%s", common.AntreaAddonName, NetworkPolicyAntrea),
},
{
name: "antrea addon enabled w/ antrea networkPolicy",
p: &Properties{
OrchestratorProfile: &OrchestratorProfile{
KubernetesConfig: &KubernetesConfig{
NetworkPolicy: NetworkPolicyAntrea,
Addons: []KubernetesAddon{
{
Name: common.AntreaAddonName,
Enabled: to.BoolPtr(true),
},
},
},
},
},
expectedErr: nil,
},
{
name: "antrea addon enabled w/ antrea networkPolicy + networkPlugin",
p: &Properties{
OrchestratorProfile: &OrchestratorProfile{
KubernetesConfig: &KubernetesConfig{
NetworkPolicy: NetworkPolicyAntrea,
NetworkPlugin: NetworkPluginAntrea,
Addons: []KubernetesAddon{
{
Name: common.AntreaAddonName,
Enabled: to.BoolPtr(true),
},
},
},
},
},
expectedErr: nil,
},
}
for _, test := range tests {

10
pkg/armhelpers/azurestack/httpMockClientData/deployVMRequest.json
Просмотреть файл

@ -927,11 +927,12 @@
"kubenet",
"azure",
"flannel",
"cilium"
"cilium",
"antrea"
],
"defaultValue": "flannel",
"metadata": {
"description": "The network plugin to use for Kubernetes (kubenet|azure|flannel|cilium)"
"description": "The network plugin to use for Kubernetes (kubenet|azure|flannel|cilium|antrea)"
},
"type": "string"
},
@ -941,11 +942,12 @@
"none",
"azure",
"calico",
"cilium"
"cilium",
"antrea"
],
"defaultValue": "",
"metadata": {
"description": "The network policy enforcement to use (calico|cilium); 'none' and 'azure' here for backwards compatibility"
"description": "The network policy enforcement to use (calico|cilium|antrea); 'none' and 'azure' here for backwards compatibility"
},
"type": "string"
},

10
pkg/armhelpers/httpMockClientData/deployVMRequest.json
Просмотреть файл

@ -893,11 +893,12 @@
"kubenet",
"azure",
"flannel",
"cilium"
"cilium",
"antrea"
],
"defaultValue": "flannel",
"metadata": {
"description": "The network plugin to use for Kubernetes (kubenet|azure|flannel|cilium)"
"description": "The network plugin to use for Kubernetes (kubenet|azure|flannel|cilium|antrea)"
},
"type": "string"
},
@ -907,11 +908,12 @@
"none",
"azure",
"calico",
"cilium"
"cilium",
"antrea"
],
"defaultValue": "",
"metadata": {
"description": "The network policy enforcement to use (calico|cilium); 'none' and 'azure' here for backwards compatibility"
"description": "The network policy enforcement to use (calico|cilium|antrea); 'none' and 'azure' here for backwards compatibility"
},
"type": "string"
},

5
pkg/engine/artifacts.go
Просмотреть файл

@ -177,6 +177,11 @@ func kubernetesContainerAddonSettingsInit(p *api.Properties) map[string]kubernet
base64Data: k.GetAddonScript(common.CiliumAddonName),
destinationFile: ciliumAddonDestinationFilename,
},
common.AntreaAddonName: {
sourceFile: antreaAddonSourceFilename,
base64Data: k.GetAddonScript(common.AntreaAddonName),
destinationFile: antreaAddonDestinationFilename,
},
}
}

33
pkg/engine/artifacts_test.go
Просмотреть файл

@ -365,6 +365,7 @@ func TestKubernetesContainerAddonSettingsInit(t *testing.T) {
expectedKubeProxy kubernetesComponentFileSpec
expectedPodSecurityPolicy kubernetesComponentFileSpec
expectedAADDefaultAdminGroup kubernetesComponentFileSpec
expectedAntrea kubernetesComponentFileSpec
}{
{
name: "addons with data",
@ -490,6 +491,10 @@ func TestKubernetesContainerAddonSettingsInit(t *testing.T) {
Name: common.AADAdminGroupAddonName,
Data: base64Data,
},
{
Name: common.AntreaAddonName,
Data: base64Data,
},
},
},
},
@ -639,6 +644,11 @@ func TestKubernetesContainerAddonSettingsInit(t *testing.T) {
base64Data: base64Data,
destinationFile: aadDefaultAdminGroupDestinationFilename,
},
expectedAntrea: kubernetesComponentFileSpec{
sourceFile: antreaAddonSourceFilename,
base64Data: base64Data,
destinationFile: antreaAddonDestinationFilename,
},
},
{
name: "addons with no data",
@ -735,6 +745,9 @@ func TestKubernetesContainerAddonSettingsInit(t *testing.T) {
{
Name: common.AADAdminGroupAddonName,
},
{
Name: common.AntreaAddonName,
},
},
},
},
@ -884,6 +897,11 @@ func TestKubernetesContainerAddonSettingsInit(t *testing.T) {
base64Data: "",
destinationFile: aadDefaultAdminGroupDestinationFilename,
},
expectedAntrea: kubernetesComponentFileSpec{
sourceFile: antreaAddonSourceFilename,
base64Data: "",
destinationFile: antreaAddonDestinationFilename,
},
},
{
name: "no addons in ContainerService object",
@ -1033,6 +1051,11 @@ func TestKubernetesContainerAddonSettingsInit(t *testing.T) {
base64Data: "",
destinationFile: aadDefaultAdminGroupDestinationFilename,
},
expectedAntrea: kubernetesComponentFileSpec{
sourceFile: antreaAddonSourceFilename,
base64Data: "",
destinationFile: antreaAddonDestinationFilename,
},
},
}
@ -1333,6 +1356,16 @@ func TestKubernetesContainerAddonSettingsInit(t *testing.T) {
if c.expectedAADDefaultAdminGroup.destinationFile != componentFileSpec[addon].destinationFile {
t.Fatalf("Expected %s to be %s", componentFileSpec[addon].destinationFile, c.expectedAADDefaultAdminGroup.destinationFile)
}
case common.AntreaAddonName:
if c.expectedAntrea.sourceFile != componentFileSpec[addon].sourceFile {
t.Fatalf("Expected %s to be %s", componentFileSpec[addon].sourceFile, c.expectedAntrea.sourceFile)
}
if c.expectedAntrea.base64Data != componentFileSpec[addon].base64Data {
t.Fatalf("Expected %s to be %s", componentFileSpec[addon].base64Data, c.expectedAntrea.base64Data)
}
if c.expectedAntrea.destinationFile != componentFileSpec[addon].destinationFile {
t.Fatalf("Expected %s to be %s", componentFileSpec[addon].destinationFile, c.expectedAntrea.destinationFile)
}
}
}
})

6
pkg/engine/const.go
Просмотреть файл

@ -32,6 +32,10 @@ const (
NetworkPolicyCilium = "cilium"
// NetworkPluginCilium is the string expression for cilium network plugin config option
NetworkPluginCilium = NetworkPolicyCilium
// NetworkPolicyAntrea is the string expression for antrea network policy config option
NetworkPolicyAntrea = "antrea"
// NetworkPluginAntrea is the string expression for antrea network plugin config option
NetworkPluginAntrea = NetworkPolicyAntrea
// NetworkPolicyAzure is the string expression for Azure CNI network policy manager
NetworkPolicyAzure = "azure"
// NetworkPluginAzure is the string expression for Azure CNI plugin
@ -262,4 +266,6 @@ const (
aadDefaultAdminGroupDestinationFilename string = "aad-default-admin-group-rbac.yaml"
ciliumAddonSourceFilename string = "kubernetesmasteraddons-cilium-daemonset.yaml"
ciliumAddonDestinationFilename string = "cilium-daemonset.yaml"
antreaAddonSourceFilename string = "antrea.yaml"
antreaAddonDestinationFilename string = "antrea.yaml"
)

3
pkg/engine/template_generator.go
Просмотреть файл

@ -577,6 +577,9 @@ func getContainerServiceFuncMap(cs *api.ContainerService) template.FuncMap {
"HasCiliumNetworkPolicy": func() bool {
return cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy == NetworkPolicyCilium
},
"HasAntreaNetworkPolicy": func() bool {
return cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy == NetworkPolicyAntrea
},
"HasCustomNodesDNS": func() bool {
return cs.Properties.LinuxProfile != nil && cs.Properties.LinuxProfile.HasCustomNodesDNS()
},

18
pkg/engine/template_generator_test.go
Просмотреть файл

@ -872,6 +872,24 @@ func TestTemplateGenerator_FunctionMap(t *testing.T) {
},
ExpectedResult: false,
},
{
Name: "HasAntreaNetworkPolicy - antrea",
FuncName: "HasAntreaNetworkPolicy",
MutateFunc: func(cs api.ContainerService) api.ContainerService {
cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy = NetworkPluginAntrea
return cs
},
ExpectedResult: true,
},
{
Name: "HasAntreaNetworkPolicy - azure",
FuncName: "HasAntreaNetworkPolicy",
MutateFunc: func(cs api.ContainerService) api.ContainerService {
cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy = NetworkPolicyAzure
return cs
},
ExpectedResult: false,
},
}
originalCS := &api.ContainerService{}

537
pkg/engine/templates_generated.go
Просмотреть файл

@ -150,6 +150,7 @@
// ../../parts/k8s/containeraddons/1.7/kubernetesmasteraddons-heapster-deployment.yaml
// ../../parts/k8s/containeraddons/1.8/kubernetesmasteraddons-heapster-deployment.yaml
// ../../parts/k8s/containeraddons/1.9/kubernetesmasteraddons-metrics-server-deployment.yaml
// ../../parts/k8s/containeraddons/antrea.yaml
// ../../parts/k8s/containeraddons/azure-cni-networkmonitor.yaml
// ../../parts/k8s/containeraddons/azure-policy-deployment.yaml
// ../../parts/k8s/containeraddons/coredns.yaml
@ -8719,6 +8720,11 @@ ensureKubelet() {
sleep 3
done
{{end}}
{{if HasAntreaNetworkPolicy}}
while [ ! -f /etc/cni/net.d/10-antrea.conf ]; do
sleep 3
done
{{end}}
}
ensureLabelNodes() {
@ -25005,6 +25011,525 @@ func k8sContaineraddons19KubernetesmasteraddonsMetricsServerDeploymentYaml() (*a
return a, nil
}
var _k8sContaineraddonsAntreaYaml = []byte(`apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antreaagentinfos.clusterinformation.crd.antrea.io
spec:
group: clusterinformation.crd.antrea.io
names:
kind: AntreaAgentInfo
plural: antreaagentinfos
shortNames:
- aai
singular: antreaagentinfo
scope: Cluster
versions:
- name: v1beta1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antreacontrollerinfos.clusterinformation.crd.antrea.io
spec:
group: clusterinformation.crd.antrea.io
names:
kind: AntreaControllerInfo
plural: antreacontrollerinfos
shortNames:
- aci
singular: antreacontrollerinfo
scope: Cluster
versions:
- name: v1beta1
served: true
storage: true
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea-agent
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea-controller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea-agent
rules:
- apiGroups:
- ""
resources:
- nodes
- pods
verbs:
- get
- watch
- list
- apiGroups:
- clusterinformation.crd.antrea.io
resources:
- antreaagentinfos
verbs:
- get
- create
- update
- delete
- apiGroups:
- networkpolicy.antrea.io
resources:
- networkpolicies
- appliedtogroups
- addressgroups
verbs:
- get
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea-controller
rules:
- apiGroups:
- ""
resources:
- nodes
- pods
- namespaces
verbs:
- get
- watch
- list
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- watch
- list
- apiGroups:
- clusterinformation.crd.antrea.io
resources:
- antreacontrollerinfos
verbs:
- get
- create
- update
- delete
- apiGroups:
- clusterinformation.crd.antrea.io
resources:
- antreaagentinfos
verbs:
- list
- delete
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea-controller-authentication-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: antrea-controller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea-agent
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: antrea-agent
subjects:
- kind: ServiceAccount
name: antrea-agent
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: antrea-controller
subjects:
- kind: ServiceAccount
name: antrea-controller
namespace: kube-system
---
apiVersion: v1
data:
antrea-agent.conf: |
# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
#ovsBridge: br-int
# Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
# - system
# - netdev
# 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
# OVS in userspace mode. Userspace mode requires the tun device driver to be available.
#ovsDatapathType: system
# Name of the interface antrea-agent will create and use for host <--> pod communication.
# Make sure it doesn't conflict with your existing interfaces.
#hostGateway: gw0
# Encapsulation mode for communication between Pods across Nodes, supported values:
# - vxlan (default)
# - geneve
# - gre
# - stt
#tunnelType: vxlan
# Default MTU to use for the host gateway interface and the network interface of each Pod. If
# omitted, antrea-agent will default this value to 1450 to accomodate for tunnel encapsulate
# overhead.
#defaultMTU: 1450
# CIDR Range for services in cluster. It's required to support egress network policy, should
# be set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver.
serviceCIDR: {{ContainerConfig "serviceCidr"}}
antrea-cni.conf: |
{
"cniVersion":"0.3.0",
"name": "antrea",
"type": "antrea",
"ipam": {
"type": "host-local"
}
}
antrea-controller.conf: ""
kind: ConfigMap
metadata:
annotations: {}
labels:
app: antrea
addonmanager.kubernetes.io/mode: "EnsureExists"
name: antrea-config-48gttf992h
namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
labels:
app: antrea
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea
namespace: kube-system
spec:
ports:
- port: 443
protocol: TCP
targetPort: 443
selector:
app: antrea
component: antrea-controller
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: antrea
component: antrea-controller
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea-controller
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: antrea
component: antrea-controller
strategy:
type: Recreate
template:
metadata:
labels:
app: antrea
component: antrea-controller
spec:
containers:
- args:
- --config
- /etc/antrea/antrea-controller.conf
command:
- antrea-controller
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: {{ContainerImage "antrea-controller"}}
name: antrea-controller
ports:
- containerPort: 443
protocol: TCP
volumeMounts:
- mountPath: /etc/antrea/antrea-controller.conf
name: antrea-config
readOnly: true
subPath: antrea-controller.conf
hostNetwork: true
nodeSelector:
beta.kubernetes.io/os: linux
priorityClassName: system-cluster-critical
serviceAccountName: antrea-controller
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-48gttf992h
name: antrea-config
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app: antrea
component: antrea-agent
addonmanager.kubernetes.io/mode: "Reconcile"
name: antrea-agent
namespace: kube-system
spec:
selector:
matchLabels:
app: antrea
component: antrea-agent
template:
metadata:
labels:
app: antrea
component: antrea-agent
spec:
containers:
- args:
- --config
- /etc/antrea/antrea-agent.conf
command:
- antrea-agent
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: {{ContainerImage "antrea-agent"}}
livenessProbe:
exec:
command:
- /bin/sh
- -c
- container_liveness_probe agent
failureThreshold: 5
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
name: antrea-agent
securityContext:
privileged: true
volumeMounts:
- mountPath: /etc/antrea/antrea-agent.conf
name: antrea-config
readOnly: true
subPath: antrea-agent.conf
- mountPath: /var/run/antrea
name: host-var-run-antrea
- mountPath: /var/run/openvswitch
name: host-var-run-antrea
subPath: openvswitch
- mountPath: /var/lib/cni
name: host-var-run-antrea
subPath: cni
- mountPath: /host/proc
name: host-proc
readOnly: true
- mountPath: /host/var/run/netns
mountPropagation: HostToContainer
name: host-var-run-netns
readOnly: true
- command:
- start_ovs
image: {{ContainerImage "antrea-ovs"}}
livenessProbe:
exec:
command:
- /bin/sh
- -c
- timeout 5 container_liveness_probe ovs
initialDelaySeconds: 5
periodSeconds: 5
name: antrea-ovs
securityContext:
capabilities:
add:
- SYS_NICE
- NET_ADMIN
- SYS_ADMIN
- IPC_LOCK
volumeMounts:
- mountPath: /var/run/openvswitch
name: host-var-run-antrea
subPath: openvswitch
- mountPath: /var/log/openvswitch
name: host-var-log-antrea
subPath: openvswitch
hostNetwork: true
initContainers:
- command:
- install_cni
image: {{ContainerImage "install-cni"}}
name: install-cni
securityContext:
capabilities:
add:
- SYS_MODULE
volumeMounts:
- mountPath: /etc/antrea/antrea-cni.conf
name: antrea-config
readOnly: true
subPath: antrea-cni.conf
- mountPath: /host/etc/cni/net.d
name: host-cni-conf
- mountPath: /host/opt/cni/bin
name: host-cni-bin
- mountPath: /lib/modules
name: host-lib-modules
readOnly: true
- mountPath: /sbin/depmod
name: host-depmod
readOnly: true
nodeSelector:
beta.kubernetes.io/os: linux
priorityClassName: system-node-critical
serviceAccountName: antrea-agent
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
operator: Exists
volumes:
- configMap:
name: antrea-config-48gttf992h
name: antrea-config
- hostPath:
path: /etc/cni/net.d
name: host-cni-conf
- hostPath:
path: /opt/cni/bin
name: host-cni-bin
- hostPath:
path: /proc
name: host-proc
- hostPath:
path: /var/run/netns
name: host-var-run-netns
- hostPath:
path: /var/run/antrea
type: DirectoryOrCreate
name: host-var-run-antrea
- hostPath:
path: /var/log/antrea
type: DirectoryOrCreate
name: host-var-log-antrea
- hostPath:
path: /lib/modules
name: host-lib-modules
- hostPath:
path: /sbin/depmod
name: host-depmod
updateStrategy:
type: RollingUpdate
`)
func k8sContaineraddonsAntreaYamlBytes() ([]byte, error) {
return _k8sContaineraddonsAntreaYaml, nil
}
func k8sContaineraddonsAntreaYaml() (*asset, error) {
bytes, err := k8sContaineraddonsAntreaYamlBytes()
if err != nil {
return nil, err
}
info := bindataFileInfo{name: "k8s/containeraddons/antrea.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _k8sContaineraddonsAzureCniNetworkmonitorYaml = []byte(`apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
@ -32041,27 +32566,29 @@ var _k8sKubernetesparamsT = []byte(`{{if IsHostedMaster}}
"networkPolicy": {
"defaultValue": "{{.OrchestratorProfile.KubernetesConfig.NetworkPolicy}}",
"metadata": {
"description": "The network policy enforcement to use (calico|cilium); 'none' and 'azure' here for backwards compatibility"
"description": "The network policy enforcement to use (calico|cilium|antrea); 'none' and 'azure' here for backwards compatibility"
},
"allowedValues": [
"",
"none",
"azure",
"calico",
"cilium"
"cilium",
"antrea"
],
"type": "string"
},
"networkPlugin": {
"defaultValue": "{{.OrchestratorProfile.KubernetesConfig.NetworkPlugin}}",
"metadata": {
"description": "The network plugin to use for Kubernetes (kubenet|azure|flannel|cilium)"
"description": "The network plugin to use for Kubernetes (kubenet|azure|flannel|cilium|antrea)"
},
"allowedValues": [
"kubenet",
"azure",
"flannel",
"cilium"
"cilium",
"antrea"
],
"type": "string"
},
@ -38169,6 +38696,7 @@ var _bindata = map[string]func() (*asset, error){
"k8s/containeraddons/1.7/kubernetesmasteraddons-heapster-deployment.yaml": k8sContaineraddons17KubernetesmasteraddonsHeapsterDeploymentYaml,
"k8s/containeraddons/1.8/kubernetesmasteraddons-heapster-deployment.yaml": k8sContaineraddons18KubernetesmasteraddonsHeapsterDeploymentYaml,
"k8s/containeraddons/1.9/kubernetesmasteraddons-metrics-server-deployment.yaml": k8sContaineraddons19KubernetesmasteraddonsMetricsServerDeploymentYaml,
"k8s/containeraddons/antrea.yaml": k8sContaineraddonsAntreaYaml,
"k8s/containeraddons/azure-cni-networkmonitor.yaml": k8sContaineraddonsAzureCniNetworkmonitorYaml,
"k8s/containeraddons/azure-policy-deployment.yaml": k8sContaineraddonsAzurePolicyDeploymentYaml,
"k8s/containeraddons/coredns.yaml": k8sContaineraddonsCorednsYaml,
@ -38467,6 +38995,7 @@ var _bintree = &bintree{nil, map[string]*bintree{
"1.9": {nil, map[string]*bintree{
"kubernetesmasteraddons-metrics-server-deployment.yaml": {k8sContaineraddons19KubernetesmasteraddonsMetricsServerDeploymentYaml, map[string]*bintree{}},
}},
"antrea.yaml": {k8sContaineraddonsAntreaYaml, map[string]*bintree{}},
"azure-cni-networkmonitor.yaml": {k8sContaineraddonsAzureCniNetworkmonitorYaml, map[string]*bintree{}},
"azure-policy-deployment.yaml": {k8sContaineraddonsAzurePolicyDeploymentYaml, map[string]*bintree{}},
"coredns.yaml": {k8sContaineraddonsCorednsYaml, map[string]*bintree{}},

2012
pkg/engine/transform/transformtestfiles/TestNormalizeResourcesForK8sAgentUpgrade.failure.json
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

2215
pkg/engine/transform/transformtestfiles/TestNormalizeResourcesForK8sMasterUpgrade.failure.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

7
pkg/engine/transform/transformtestfiles/k8s_agent_upgrade_template.json
Просмотреть файл

@ -1065,11 +1065,12 @@
"azure",
"calico",
"cilium",
"flannel"
"flannel",
"antrea"
],
"defaultValue": "none",
"metadata": {
"description": "The network policy enforcement to use (none|azure|calico|cilium|flannel)"
"description": "The network policy enforcement to use (none|azure|calico|cilium|flannel|antrea)"
},
"type": "string"
},
@ -2010,4 +2011,4 @@
"value": "[reference(concat('Microsoft.Network/publicIPAddresses/', variables('masterPublicIPAddressName'))).dnsSettings.fqdn]"
}
}
}
}

7
pkg/engine/transform/transformtestfiles/k8s_master_upgrade_template.json
Просмотреть файл

@ -1074,11 +1074,12 @@
"azure",
"calico",
"cilium",
"flannel"
"flannel",
"antrea"
],
"defaultValue": "none",
"metadata": {
"description": "The network policy enforcement to use (none|azure|calico|cilium|flannel)"
"description": "The network policy enforcement to use (none|azure|calico|cilium|flannel|antrea)"
},
"type": "string"
},
@ -2185,4 +2186,4 @@
"value": "[reference(concat('Microsoft.Network/publicIPAddresses/', variables('masterPublicIPAddressName'))).dnsSettings.fqdn]"
}
}
}
}

7
pkg/engine/transform/transformtestfiles/k8s_scale_template.json
Просмотреть файл

@ -1065,11 +1065,12 @@
"azure",
"calico",
"cilium",
"flannel"
"flannel",
"antrea"
],
"defaultValue": "none",
"metadata": {
"description": "The network policy enforcement to use (none|azure|calico|cilium|flannel)"
"description": "The network policy enforcement to use (none|azure|calico|cilium|flannel|antrea)"
},
"type": "string"
},
@ -2189,4 +2190,4 @@
"value": "[reference(concat('Microsoft.Network/publicIPAddresses/', variables('masterPublicIPAddressName'))).dnsSettings.fqdn]"
}
}
}
}

10
pkg/engine/transform/transformtestfiles/k8s_slb_scale_template.json
Просмотреть файл

@ -883,11 +883,12 @@
"kubenet",
"azure",
"flannel",
"cilium"
"cilium",
"antrea"
],
"defaultValue": "azure",
"metadata": {
"description": "The network plugin to use for Kubernetes (kubenet|azure|flannel|cilium)"
"description": "The network plugin to use for Kubernetes (kubenet|azure|flannel|cilium|antrea)"
},
"type": "string"
},
@ -897,11 +898,12 @@
"none",
"azure",
"calico",
"cilium"
"cilium",
"antrea"
],
"defaultValue": "",
"metadata": {
"description": "The network policy enforcement to use (calico|cilium); 'none' and 'azure' here for backwards compatibility"
"description": "The network policy enforcement to use (calico|cilium|antrea); 'none' and 'azure' here for backwards compatibility"
},
"type": "string"
},

10
pkg/engine/transform/transformtestfiles/k8s_slb_template.json
Просмотреть файл

@ -883,11 +883,12 @@
"kubenet",
"azure",
"flannel",
"cilium"
"cilium",
"antrea"
],
"defaultValue": "azure",
"metadata": {
"description": "The network plugin to use for Kubernetes (kubenet|azure|flannel|cilium)"
"description": "The network plugin to use for Kubernetes (kubenet|azure|flannel|cilium|antrea)"
},
"type": "string"
},
@ -897,11 +898,12 @@
"none",
"azure",
"calico",
"cilium"
"cilium",
"antrea"
],
"defaultValue": "",
"metadata": {
"description": "The network policy enforcement to use (calico|cilium); 'none' and 'azure' here for backwards compatibility"
"description": "The network policy enforcement to use (calico|cilium|antrea); 'none' and 'azure' here for backwards compatibility"
},
"type": "string"
},

10
pkg/engine/transform/transformtestfiles/k8s_slb_vmss_scale_template.json
Просмотреть файл

@ -883,11 +883,12 @@
"kubenet",
"azure",
"flannel",
"cilium"
"cilium",
"antrea"
],
"defaultValue": "azure",
"metadata": {
"description": "The network plugin to use for Kubernetes (kubenet|azure|flannel|cilium)"
"description": "The network plugin to use for Kubernetes (kubenet|azure|flannel|cilium|antrea)"
},
"type": "string"
},
@ -897,11 +898,12 @@
"none",
"azure",
"calico",
"cilium"
"cilium",
"antrea"
],
"defaultValue": "",
"metadata": {
"description": "The network policy enforcement to use (calico|cilium); 'none' and 'azure' here for backwards compatibility"
"description": "The network policy enforcement to use (calico|cilium|antrea); 'none' and 'azure' here for backwards compatibility"
},
"type": "string"
},

10
pkg/engine/transform/transformtestfiles/k8s_slb_vmss_template.json
Просмотреть файл

@ -883,11 +883,12 @@
"kubenet",
"azure",
"flannel",
"cilium"
"cilium",
"antrea"
],
"defaultValue": "azure",
"metadata": {
"description": "The network plugin to use for Kubernetes (kubenet|azure|flannel|cilium)"
"description": "The network plugin to use for Kubernetes (kubenet|azure|flannel|cilium|antrea)"
},
"type": "string"
},
@ -897,11 +898,12 @@
"none",
"azure",
"calico",
"cilium"
"cilium",
"antrea"
],
"defaultValue": "",
"metadata": {
"description": "The network policy enforcement to use (calico|cilium); 'none' and 'azure' here for backwards compatibility"
"description": "The network policy enforcement to use (calico|cilium|antrea); 'none' and 'azure' here for backwards compatibility"
},
"type": "string"
},

7
pkg/engine/transform/transformtestfiles/k8s_template.json
Просмотреть файл

@ -1074,11 +1074,12 @@
"azure",
"calico",
"cilium",
"flannel"
"flannel",
"antrea"
],
"defaultValue": "none",
"metadata": {
"description": "The network policy enforcement to use (none|azure|calico|cilium|flannel)"
"description": "The network policy enforcement to use (none|azure|calico|cilium|flannel|antrea)"
},
"type": "string"
},
@ -2342,4 +2343,4 @@
"value": "[reference(concat('Microsoft.Network/publicIPAddresses/', variables('masterPublicIPAddressName'))).dnsSettings.fqdn]"
}
}
}
}

7
pkg/engine/transform/transformtestfiles/k8s_vnet_scale_template.json
Просмотреть файл

@ -1062,11 +1062,12 @@
"azure",
"calico",
"cilium",
"flannel"
"flannel",
"antrea"
],
"defaultValue": "none",
"metadata": {
"description": "The network policy enforcement to use (none|azure|calico|cilium|flannel)"
"description": "The network policy enforcement to use (none|azure|calico|cilium|flannel|antrea)"
},
"type": "string"
},
@ -2133,4 +2134,4 @@
"value": "[reference(concat('Microsoft.Network/publicIPAddresses/', variables('masterPublicIPAddressName'))).dnsSettings.fqdn]"
}
}
}
}

7
pkg/engine/transform/transformtestfiles/k8s_vnet_template.json
Просмотреть файл

@ -1071,11 +1071,12 @@
"azure",
"calico",
"cilium",
"flannel"
"flannel",
"antrea"
],
"defaultValue": "none",
"metadata": {
"description": "The network policy enforcement to use (none|azure|calico|cilium|flannel)"
"description": "The network policy enforcement to use (none|azure|calico|cilium|flannel|antrea)"
},
"type": "string"
},
@ -2252,4 +2253,4 @@
"value": "[reference(concat('Microsoft.Network/publicIPAddresses/', variables('masterPublicIPAddressName'))).dnsSettings.fqdn]"
}
}
}
}

5
pkg/engine/transform/transformtestfiles/master_resources_scale_temaplate.json
Просмотреть файл

@ -1065,11 +1065,12 @@
"azure",
"calico",
"cilium",
"flannel"
"flannel",
"antrea"
],
"defaultValue": "none",
"metadata": {
"description": "The network policy enforcement to use (none|azure|calico|cilium|flannel)"
"description": "The network policy enforcement to use (none|azure|calico|cilium|flannel|antrea)"
},
"type": "string"
},

5
test/e2e/kubernetes/kubernetes_test.go
Просмотреть файл

@ -1361,7 +1361,8 @@ var _ = Describe("Azure Container Cluster using the Kubernetes Orchestrator", fu
Describe("with NetworkPolicy enabled", func() {
It("should apply various network policies and enforce access to nginx pod", func() {
if eng.HasNetworkPolicy("calico") || eng.HasNetworkPolicy("azure") || eng.HasNetworkPolicy("cilium") {
if (eng.HasNetworkPolicy("calico") || eng.HasNetworkPolicy("azure") ||
eng.HasNetworkPolicy("cilium") || eng.HasNetworkPolicy("antrea")) {
nsDev, nsProd := "development", "production"
By("Creating development namespace")
namespaceDev, err := namespace.CreateIfNotExist(nsDev)
@ -1583,7 +1584,7 @@ var _ = Describe("Azure Container Cluster using the Kubernetes Orchestrator", fu
err = namespaceProd.Delete()
Expect(err).NotTo(HaveOccurred())
} else {
Skip("Calico or Azure network policy was not provisioned for this Cluster Definition")
Skip("Calico or Azure or Cilium or Antrea network policy was not provisioned for this Cluster Definition")
}
})
})

46
test/e2e/test_cluster_configs/network_policy/antrea.json Normal file
Просмотреть файл

@ -0,0 +1,46 @@
{
"env": {
},
"options": {
"allowedOrchestratorVersions": ["1.13", "1.14", "1.15", "1.16"]
},
"apiModel": {
"apiVersion": "vlabs",
"properties": {
"orchestratorProfile": {
"orchestratorType": "Kubernetes",
"kubernetesConfig": {
"networkPolicy": "antrea"
}
},
"masterProfile": {
"count": 1,
"dnsPrefix": "",
"vmSize": "Standard_D2_v3"
},
"agentPoolProfiles": [
{
"name": "agent1",
"count": 1,
"vmSize": "Standard_D2_v3",
"availabilityProfile": "VirtualMachineScaleSets",
"scalesetPriority": "Low"
}
],
"linuxProfile": {
"adminUsername": "azureuser",
"ssh": {
"publicKeys": [
{
"keyData": ""
}
]
}
},
"servicePrincipalProfile": {
"clientId": "",
"secret": ""
}
}
}
}