Add EgressGroup API and Controller

This patch adds a controlplane API which provides List, Get, and Watch
interface for EgressGroups. antrea-agents consume the API to get the
Pods to which an Egress applies. Each agent only receives Pods running
on its own Node.

build/yamls/antrea-aks.yml

@@ -306,6 +306,30 @@ spec:
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
+metadata:
+  labels:
+    app: antrea
+  name: egresses.egress.antrea.tanzu.vmware.com
+spec:
+  group: egress.antrea.tanzu.vmware.com
+  names:
+    kind: Egress
+    plural: egresses
+    shortNames:
+    - eg
+    singular: egress
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        type: object
+        x-kubernetes-preserve-unknown-fields: true
+    served: true
+    storage: true
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
 metadata:
   labels:
     app: antrea
@@ -1036,6 +1060,14 @@ rules:
   - get
   - watch
   - list
+- apiGroups:
+  - controlplane.antrea.tanzu.vmware.com
+  resources:
+  - egressgroups
+  verbs:
+  - get
+  - watch
+  - list
 - apiGroups:
   - controlplane.antrea.tanzu.vmware.com
   resources:
@@ -1094,6 +1126,14 @@ rules:
   - patch
   - create
   - delete
+- apiGroups:
+  - egress.antrea.tanzu.vmware.com
+  resources:
+  - egresses
+  verbs:
+  - get
+  - watch
+  - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -1258,6 +1298,14 @@ rules:
   - get
   - watch
   - list
+- apiGroups:
+  - egress.antrea.tanzu.vmware.com
+  resources:
+  - egresses
+  verbs:
+  - get
+  - watch
+  - list
 - apiGroups:
   - core.antrea.tanzu.vmware.com
   resources:
@@ -1360,6 +1408,9 @@ data:
     # Enable collecting and exposing NetworkPolicy statistics.
     #  NetworkPolicyStats: false
 
+    # Enable controlling SNAT IPs of Pod egress traffic.
+    #  Egress: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     #ovsBridge: br-int
@@ -1508,6 +1559,9 @@ data:
     # Enable collecting and exposing NetworkPolicy statistics.
     #  NetworkPolicyStats: false
 
+    # Enable controlling SNAT IPs of Pod egress traffic.
+    #  Egress: false
+
     # The port for the antrea-controller APIServer to serve on.
     # Note that if it's set to another value, the `containerPort` of the `api` port of the
     # `antrea-controller` container must be set to the same value.
@@ -1538,7 +1592,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-h7cktb4h6k
+  name: antrea-config-b45h5tckch
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1658,7 +1712,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-h7cktb4h6k
+          name: antrea-config-b45h5tckch
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1922,7 +1976,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-h7cktb4h6k
+          name: antrea-config-b45h5tckch
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-eks.yml

@@ -306,6 +306,30 @@ spec:
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
+metadata:
+  labels:
+    app: antrea
+  name: egresses.egress.antrea.tanzu.vmware.com
+spec:
+  group: egress.antrea.tanzu.vmware.com
+  names:
+    kind: Egress
+    plural: egresses
+    shortNames:
+    - eg
+    singular: egress
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        type: object
+        x-kubernetes-preserve-unknown-fields: true
+    served: true
+    storage: true
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
 metadata:
   labels:
     app: antrea
@@ -1036,6 +1060,14 @@ rules:
   - get
   - watch
   - list
+- apiGroups:
+  - controlplane.antrea.tanzu.vmware.com
+  resources:
+  - egressgroups
+  verbs:
+  - get
+  - watch
+  - list
 - apiGroups:
   - controlplane.antrea.tanzu.vmware.com
   resources:
@@ -1094,6 +1126,14 @@ rules:
   - patch
   - create
   - delete
+- apiGroups:
+  - egress.antrea.tanzu.vmware.com
+  resources:
+  - egresses
+  verbs:
+  - get
+  - watch
+  - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -1258,6 +1298,14 @@ rules:
   - get
   - watch
   - list
+- apiGroups:
+  - egress.antrea.tanzu.vmware.com
+  resources:
+  - egresses
+  verbs:
+  - get
+  - watch
+  - list
 - apiGroups:
   - core.antrea.tanzu.vmware.com
   resources:
@@ -1360,6 +1408,9 @@ data:
     # Enable collecting and exposing NetworkPolicy statistics.
     #  NetworkPolicyStats: false
 
+    # Enable controlling SNAT IPs of Pod egress traffic.
+    #  Egress: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     #ovsBridge: br-int
@@ -1508,6 +1559,9 @@ data:
     # Enable collecting and exposing NetworkPolicy statistics.
     #  NetworkPolicyStats: false
 
+    # Enable controlling SNAT IPs of Pod egress traffic.
+    #  Egress: false
+
     # The port for the antrea-controller APIServer to serve on.
     # Note that if it's set to another value, the `containerPort` of the `api` port of the
     # `antrea-controller` container must be set to the same value.
@@ -1538,7 +1592,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-h7cktb4h6k
+  name: antrea-config-b45h5tckch
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1658,7 +1712,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-h7cktb4h6k
+          name: antrea-config-b45h5tckch
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1924,7 +1978,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-h7cktb4h6k
+          name: antrea-config-b45h5tckch
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-gke.yml

@@ -306,6 +306,30 @@ spec:
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
+metadata:
+  labels:
+    app: antrea
+  name: egresses.egress.antrea.tanzu.vmware.com
+spec:
+  group: egress.antrea.tanzu.vmware.com
+  names:
+    kind: Egress
+    plural: egresses
+    shortNames:
+    - eg
+    singular: egress
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        type: object
+        x-kubernetes-preserve-unknown-fields: true
+    served: true
+    storage: true
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
 metadata:
   labels:
     app: antrea
@@ -1036,6 +1060,14 @@ rules:
   - get
   - watch
   - list
+- apiGroups:
+  - controlplane.antrea.tanzu.vmware.com
+  resources:
+  - egressgroups
+  verbs:
+  - get
+  - watch
+  - list
 - apiGroups:
   - controlplane.antrea.tanzu.vmware.com
   resources:
@@ -1094,6 +1126,14 @@ rules:
   - patch
   - create
   - delete
+- apiGroups:
+  - egress.antrea.tanzu.vmware.com
+  resources:
+  - egresses
+  verbs:
+  - get
+  - watch
+  - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -1258,6 +1298,14 @@ rules:
   - get
   - watch
   - list
+- apiGroups:
+  - egress.antrea.tanzu.vmware.com
+  resources:
+  - egresses
+  verbs:
+  - get
+  - watch
+  - list
 - apiGroups:
   - core.antrea.tanzu.vmware.com
   resources:
@@ -1360,6 +1408,9 @@ data:
     # Enable collecting and exposing NetworkPolicy statistics.
     #  NetworkPolicyStats: false
 
+    # Enable controlling SNAT IPs of Pod egress traffic.
+    #  Egress: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     #ovsBridge: br-int
@@ -1508,6 +1559,9 @@ data:
     # Enable collecting and exposing NetworkPolicy statistics.
     #  NetworkPolicyStats: false
 
+    # Enable controlling SNAT IPs of Pod egress traffic.
+    #  Egress: false
+
     # The port for the antrea-controller APIServer to serve on.
     # Note that if it's set to another value, the `containerPort` of the `api` port of the
     # `antrea-controller` container must be set to the same value.
@@ -1538,7 +1592,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-ck9cm44gbk
+  name: antrea-config-g45k8dcmg8
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1658,7 +1712,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-ck9cm44gbk
+          name: antrea-config-g45k8dcmg8
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1925,7 +1979,7 @@ spec:
           path: /home/kubernetes/bin
         name: host-cni-bin
       - configMap:
-          name: antrea-config-ck9cm44gbk
+          name: antrea-config-g45k8dcmg8
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d