Support EndpointSlice in AntreaProxy

The EndpointSlice API version that AntreaProxy supports is v1beta1 for
now, and other EndpointSlice API versions are not supported. Endpoint
condition Serving,Terminating as well as ServiceTopology is not
supported in this commit.

Makefile

@@ -152,6 +152,7 @@ endif
 		-v $(CURDIR)/.coverage:/usr/src/github.com/vmware-tanzu/antrea/.coverage \
 		-v $(CURDIR):/usr/src/github.com/vmware-tanzu/antrea:ro \
 		-v /lib/modules:/lib/modules \
+		--sysctl net.ipv6.conf.all.disable_ipv6=0 \
 		antrea/test test-integration $(USERID) $(GRPID)
 
 .PHONY: docker-tidy

build/yamls/antrea-aks.yml

@@ -989,6 +989,14 @@ rules:
   - get
   - watch
   - list
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - watch
+  - list
 - apiGroups:
   - clusterinformation.antrea.tanzu.vmware.com
   resources:
@@ -1283,6 +1291,11 @@ data:
     # Service traffic.
     #  AntreaProxy: true
 
+    # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice
+    # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled,
+    # this flag will not take effect.
+    #  EndpointSlice: false
+
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
@@ -1393,15 +1406,6 @@ data:
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     #kubeAPIServerOverride: ""
-
-    # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
-    # https://golang.org/pkg/crypto/tls/#pkg-constants
-    # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
-    # prefer TLS1.3 Cipher Suites whenever possible.
-    #tlsCipherSuites:
-
-    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
-    #tlsMinVersion:
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1467,7 +1471,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-gt6f55df69
+  name: antrea-config-824k5kcghd
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1578,7 +1582,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-gt6f55df69
+          name: antrea-config-824k5kcghd
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1842,7 +1846,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-gt6f55df69
+          name: antrea-config-824k5kcghd
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-eks.yml

@@ -989,6 +989,14 @@ rules:
   - get
   - watch
   - list
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - watch
+  - list
 - apiGroups:
   - clusterinformation.antrea.tanzu.vmware.com
   resources:
@@ -1283,6 +1291,11 @@ data:
     # Service traffic.
     #  AntreaProxy: true
 
+    # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice
+    # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled,
+    # this flag will not take effect.
+    #  EndpointSlice: false
+
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
@@ -1467,7 +1480,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-gt6f55df69
+  name: antrea-config-824k5kcghd
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1578,7 +1591,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-gt6f55df69
+          name: antrea-config-824k5kcghd
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1844,7 +1857,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-gt6f55df69
+          name: antrea-config-824k5kcghd
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-gke.yml

@@ -989,6 +989,14 @@ rules:
   - get
   - watch
   - list
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - watch
+  - list
 - apiGroups:
   - clusterinformation.antrea.tanzu.vmware.com
   resources:
@@ -1283,6 +1291,11 @@ data:
     # Service traffic.
     #  AntreaProxy: true
 
+    # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice
+    # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled,
+    # this flag will not take effect.
+    #  EndpointSlice: false
+
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
@@ -1467,7 +1480,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-56ghk45g94
+  name: antrea-config-bmt74b6652
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1578,7 +1591,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-56ghk45g94
+          name: antrea-config-bmt74b6652
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1845,7 +1858,7 @@ spec:
           path: /home/kubernetes/bin
         name: host-cni-bin
       - configMap:
-          name: antrea-config-56ghk45g94
+          name: antrea-config-bmt74b6652
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-ipsec.yml

@@ -989,6 +989,14 @@ rules:
   - get
   - watch
   - list
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - watch
+  - list
 - apiGroups:
   - clusterinformation.antrea.tanzu.vmware.com
   resources:
@@ -1283,6 +1291,11 @@ data:
     # Service traffic.
     #  AntreaProxy: true
 
+    # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice
+    # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled,
+    # this flag will not take effect.
+    #  EndpointSlice: false
+
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
@@ -1472,7 +1485,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-c5f94kkkd9
+  name: antrea-config-6k75ft5467
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1592,7 +1605,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-c5f94kkkd9
+          name: antrea-config-6k75ft5467
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1891,7 +1904,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-c5f94kkkd9
+          name: antrea-config-6k75ft5467
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea.yml

@@ -989,6 +989,14 @@ rules:
   - get
   - watch
   - list
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - watch
+  - list
 - apiGroups:
   - clusterinformation.antrea.tanzu.vmware.com
   resources:
@@ -1283,6 +1291,11 @@ data:
     # Service traffic.
     #  AntreaProxy: true
 
+    # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice
+    # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled,
+    # this flag will not take effect.
+    #  EndpointSlice: false
+
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
@@ -1398,15 +1411,6 @@ data:
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     #kubeAPIServerOverride: ""
-
-    # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
-    # https://golang.org/pkg/crypto/tls/#pkg-constants
-    # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
-    # prefer TLS1.3 Cipher Suites whenever possible.
-    #tlsCipherSuites:
-
-    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
-    #tlsMinVersion:
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1472,7 +1476,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-6h4c4bttfd
+  name: antrea-config-t9975t2t7c
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1583,7 +1587,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-6h4c4bttfd
+          name: antrea-config-t9975t2t7c
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1847,7 +1851,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-6h4c4bttfd
+          name: antrea-config-t9975t2t7c
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/base/agent-rbac.yml

@@ -36,6 +36,14 @@ rules:
       - get
       - watch
       - list
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - get
+      - watch
+      - list
   - apiGroups:
       - clusterinformation.antrea.tanzu.vmware.com
     resources:

build/yamls/base/conf/antrea-agent.conf

@@ -5,6 +5,11 @@ featureGates:
 # Service traffic.
 #  AntreaProxy: true
 
+# Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice
+# API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled,
+# this flag will not take effect.
+#  EndpointSlice: false
+
 # Enable traceflow which provides packet tracing feature to diagnose network issue.
 #  Traceflow: true
 

ci/kind/test-e2e-kind.sh

@@ -25,6 +25,7 @@ function echoerr {
 _usage="Usage: $0 [--encap-mode <mode>] [--no-proxy] [--np] [--coverage] [--help|-h]
         --encap-mode                  Traffic encapsulation mode. (default is 'encap')
         --no-proxy                    Disables Antrea proxy.
+        --endpointslice               Enables Antrea proxy and EndpointSlice support
         --np                          Enables Namespaced Antrea NetworkPolicy CRDs and ClusterNetworkPolicy related CRDs.
         --coverage                    Enables measure Antrea code coverage when run e2e tests on kind.
         --help, -h                    Print this message and exit
@@ -49,6 +50,7 @@ trap "quit" INT EXIT
 
 mode=""
 proxy=true
+endpointslice=false
 np=false
 coverage=false
 while [[ $# -gt 0 ]]
@@ -60,6 +62,10 @@ case $key in
     proxy=false
     shift
     ;;
+    --endpointslice)
+    endpointslice=true
+    shift
+    ;;
     --np)
     np=true
     shift
@@ -87,6 +93,9 @@ manifest_args=""
 if ! $proxy; then
     manifest_args="$manifest_args --no-proxy"
 fi
+if $endpointslice; then
+    manifest_args="$manifest_args --endpointslice"
+fi
 if $np; then
     # See https://github.com/vmware-tanzu/antrea/issues/897
     manifest_args="$manifest_args --np --tun vxlan"

cmd/antrea-agent/agent.go

@@ -187,6 +187,7 @@ func run(o *Options) error {
 	}
 
 	var proxier k8sproxy.Provider
+
 	if features.DefaultFeatureGate.Enabled(features.AntreaProxy) {
 		v4Enabled := config.IsIPv4Enabled(nodeConfig, networkConfig.TrafficEncapMode)
 		v6Enabled := config.IsIPv6Enabled(nodeConfig, networkConfig.TrafficEncapMode)