diff --git a/README.md b/README.md index f52134df2c3..3d43290cb1a 100644 --- a/README.md +++ b/README.md @@ -88,10 +88,16 @@ Also check out [@ProjectAntrea](https://twitter.com/ProjectAntrea) on Twitter! on your infrastructure and use case. * **Comprehensive policy model**: Antrea provides a comprehensive network policy model, which builds upon Kubernetes Network Policies with new features such as - policy tiering, rule priorities and cluster-level policies. + policy tiering, rule priorities and cluster-level policies. Refer to the + [Antrea Network Policy documentation](docs/antrea-network-policy.md) for a + full list of features. * **Windows Node support**: Thanks to the portability of Open vSwitch, Antrea can use the same data plane implementation on both Linux and Windows Kubernetes Nodes. +* **Multi-cluster networking**: Federate multiple Kubernetes clusters and + benefit from a unified data plane (including multi-cluster Services) and a + unified security posture. Refer to the [Antrea Multi-cluster documentation](docs/multicluster/user-guide.md) + to get started. * **Troubleshooting and monitoring tools**: Antrea comes with CLI and UI tools which provide visibility and diagnostics capabilities (packet tracing, policy analysis, flow inspection). It exposes Prometheus metrics and supports diff --git a/ROADMAP.md b/ROADMAP.md index 64eccf955fa..e831599c6d9 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -8,73 +8,118 @@ not listed now does not mean it will not be considered for Antrea. We definitely welcome suggestions and ideas from everyone about the roadmap and Antrea features. Reach us through Issues, Slack and / or Google Group! -## Planned Features - -The following features are considered for the near future: - -* **Windows support improvements** -Antrea [supports Windows K8s Node](docs/windows.md) since version 0.7.0. -However, a few features including: Egress, NodePortLocal, IPsec encryption are -not supported for Windows Node yet. We will continue to add more features for -Windows, and improve Antrea Agent and OVS installation on Windows Nodes. - -* **Antrea NetworkPolicy enhancements** -Antrea added support for [Antrea-native policies](docs/antrea-network-policy.md) -in addition to K8s NetworkPolicy since version 0.8.0, and already supports -Antrea (Namespace scoped) NetworkPolicy, ClusterNetworkPolicy, ClusterGroup, -Tier, and features including traffic statistics, traffic logging, policy -realization status, `Drop` and `Reject` actions, policy priority, `AppliedTo` -at rule level, Namespace isolation, FQDN and Service as egress rule destination. -We will continue to add more advanced NetworkPolicy features. - -* **Network diagnostics and observability** -Network diagnostics and observability is one area we want to focus on. Antrea -already implements some useful features on this front, including the [Antrea -UI](https://github.com/antrea-io/antrea-ui), [CLI](docs/antctl.md), -[Traceflow](docs/traceflow-guide.md), [network flow export and -visualization](docs/network-flow-visibility.md), [Prometheus -metrics](docs/prometheus-integration.md), [OVS flow -dumping](docs/antctl.md#dumping-ovs-flows) and [packet -tracing](docs/antctl.md#ovs-packet-tracing), [NetworkPolicy -diagnostics](docs/antctl.md#networkpolicy-commands). We will continue to enhance -existing features and add new features to help diagnose K8s networking and -NetworkPolicy implementation, and to provide good visibility into the Antrea -network. - -* **NFV and Telco use cases** -We plan to explore and provide support for NFV and Telco use cases. We will add -native Pod multi-interface support in Antrea, and support Pod interfaces on -SRIOV devices, OVS DPDK bridge, overlay network, and Network Service Chaining. - -* **L7 security policy and visibility** -Enhance Antrea to provide application level security and visibility to K8s -workloads. This includes extending Antrea-native NetworkPolicies to support L7 / -application protocols (HTTP, DNS, etc.), and extending Antrea diagnostics and -observability features to get into application level visibility. - -* **Multi-cluster networking** -We would extend Antrea from CNI of a single Kubernetes cluster to multi-cluster -networking, and implement multi-cluster features like multi-cluster Services, -cross-cluster connectivity, multi-cluster NetworkPolicies. Antrea multi-cluster -functionalities are under active development. Check the [Antrea Multi-cluster -user guide](docs/multicluster/user-guide.md) to learn what features are already -supported. - -* **Analytics** -With the network flows exported by Antrea, we plan to further build an analytics -solution that consumes the network flows, and provides traffic analysis, -NetworkPolicy recommendation, security and network performance monitoring. We -already started a sub-project of Antrea - [Theia](https://github.com/antrea-io/theia) - -for network flow visibility and analytics. Stay tunned! - -* **K8s Node security** -So far Antrea focuses on K8s Pod networking and security, but we would like to -extend Antrea-native NetworkPolicies to cover protection of K8s Nodes too. - -* **NetworkPolicy scale and performance tests** -Evaluate and benchmark the NetworkPolicy implementation performance at a large -scale, including the policy computation performance of Antrea Controller and the -OVS datapath performance. - -* **OVS with DPDK or AF_XDP** -Leverage OVS with DPDK or AF_XDP for high performance. +## Roadmap Items + +### Antrea v2 + +Antrea [version 2](https://github.com/antrea-io/antrea/issues/4832) is coming in +2024. We are graduating some popular features to Beta or GA, deprecating some +legacy APIs, dropping support for old K8s versions (< 1.19) to improve support +for newer ones, and more! This is a big milestone for the project, stay tuned! + +### K8s Node security + +So far Antrea has focused on K8s Pod networking and security, but we would like +to extend Antrea-native NetworkPolicies to cover protection of K8s Nodes +too. There is ongoing work for this, so expect this feature very soon! + +### Quality of life improvements for installation and upgrade + +We have a few things planned to improve basic usability: + +* provide separate container images for the Agent and Controller: this will + reduce image size and speed up deployment of new Antrea versions. +* support for installation and upgrade using the antctl CLI: this will provide + an alternative installation method and antctl will ensure that Antrea + components are upgraded in the right order to minimize workload disruption. +* CLI tools to facilitate migration from another CNI: we will take care of + provisioning the correct network resources for your existing workloads. + +### Core networking features + +We are currently working on supporting VLAN tagging for Egress traffic. In the +long term, we plan to add BGP support to the Antrea Agent, as it is a much +requested feature. + +### Windows support improvements + +Antrea [supports Windows K8s Nodes](docs/windows.md). However, a few features +including: Egress, NodePortLocal, IPsec encryption are not supported for Windows +yet. We will continue to add more features for Windows (starting with Egress) +and aim for feature parity with Linux. We encourage users to reach out if they +would like us to prioritize a specific feature. While the installation procedure +has improved significantly since we first added Windows support, we plan to keep +on streamlining the procedure (more automation) and on improving the user +documentation. + +### More robust FQDN support in Antrea NetworkPolicy + +Antrea provides a comprehensive network policy model, which builds upon K8s +Network Policies and provides many additional capabilities. One of them is the +ability to define policy rules using domain names (FQDNs). We think there is +some room to improve user experience with this feature, and we are working on +making it more stable. + +### Implementation of new upstream NetworkPolicy APIs + +[SIG Network](https://github.com/kubernetes/community/tree/master/sig-network) +is working on [new standard APIs](https://network-policy-api.sigs.k8s.io/) to +extend the base K8s NetworkPolicy resource. We are closely monitoring the +upstream work and implementing these APIs as their development matures. + +### Better network troubleshooting with packet capture + +Antrea comes with many tools for network diagnostics and observability. You may +already be familiar with Traceflow, which lets you trace a single packet through +the Antrea network. We plan on also providing users with the ability to capture +live traffic and export it in PCAP format. Think tcpdump, but for K8s and +through a dedicated Antrea API! + +### Multi-network support for Pods + +We recently added the SecondaryNetwork feature, which supports provisioning +additional networks for Pods, using the same constructs made popular by +[Multus](https://github.com/k8snetworkplumbingwg/multus-cni). However, at the +moment, options for network "types" are limited. We plan on supporting new use +cases (e.g., secondary network overlays, network acceleration with DPDK), as +well as on improving user experience for this feature (with some useful +documentation). + +### L7 security policy + +Support for L7 NetworkPolicies was added in version 1.10, providing the ability +to select traffic based on the application-layer context. However, the feature +currently only supports HTTP and TLS traffic, and we plan to extend support to +other protocols, such as DNS. + +### Multi-cluster networking + +Antrea can federate multiple K8s clusters, but this feature (introduced in +version 1.7) is still considered Alpha today. Most of the functionality is +already there (multi-cluster Services, cross-cluster connectivity, +and multi-cluster NetworkPolicies), but we think there is some room for +improvement when it comes to stability and usability. + +### NetworkPolicy scale and performance tests + +We are working on a framework to empower contributors and users to benchmark the +performance of Antrea at scale. + +### Investigate better integration with service meshes + +As service meshes start introducing alternatives to the sidecar approach, +we believe there is an opportunity to improve the synergy between the K8s +network plugin and the service mesh provider. In particular, we are looking at +how Antrea can integrate with the new Istio ambient data plane mode. Take a look +at [#5682](https://github.com/antrea-io/antrea/issues/5682) for more +information. + +### Investigate multiple replicas for the Controller + +While today the Antrea Controller can scale to 1000s of K8s Nodes and 100,000 +Pods, and failover to a new replica in case of failure can happen in under a +minute, we believe we should still investigate the possibility of deploying +multiple replicas for the Controller (Active-Active or Active-Standby), to +enable horizontal scaling and achieve high-availability with very quick +failover. Horizontal scaling could help reduce the memory footprint of each +Controller instance for very large K8s clusters.