From 3a3f6510c1d56f223b44cf03a0502f511119a0cd Mon Sep 17 00:00:00 2001 From: Antonin Bas Date: Fri, 15 Dec 2023 18:31:18 -0800 Subject: [PATCH 1/3] Update ROADMAP Based on discussion with other maintainers Signed-off-by: Antonin Bas --- README.md | 8 ++- ROADMAP.md | 185 +++++++++++++++++++++++++++++++++-------------------- 2 files changed, 122 insertions(+), 71 deletions(-) diff --git a/README.md b/README.md index f52134df2c3..d1b22c23678 100644 --- a/README.md +++ b/README.md @@ -88,10 +88,16 @@ Also check out [@ProjectAntrea](https://twitter.com/ProjectAntrea) on Twitter! on your infrastructure and use case. * **Comprehensive policy model**: Antrea provides a comprehensive network policy model, which builds upon Kubernetes Network Policies with new features such as - policy tiering, rule priorities and cluster-level policies. + policy tiering, rule priorities and cluster-level policies. Refer to the + [Antrea Network Policy documentation](docs/antrea-network-policy.md) for a + full list of features. * **Windows Node support**: Thanks to the portability of Open vSwitch, Antrea can use the same data plane implementation on both Linux and Windows Kubernetes Nodes. +* **Multi-cluster networking**: Federate multiple K8s clusters and benefit from + a unified data plane (including multi-cluster Services) and a unified security + posture. Refer to the [multi-cluster documentation](docs/multicluster/user-guide.md) + to get started. * **Troubleshooting and monitoring tools**: Antrea comes with CLI and UI tools which provide visibility and diagnostics capabilities (packet tracing, policy analysis, flow inspection). It exposes Prometheus metrics and supports diff --git a/ROADMAP.md b/ROADMAP.md index 64eccf955fa..bb749e10e43 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -8,73 +8,118 @@ not listed now does not mean it will not be considered for Antrea. We definitely welcome suggestions and ideas from everyone about the roadmap and Antrea features. Reach us through Issues, Slack and / or Google Group! -## Planned Features - -The following features are considered for the near future: - -* **Windows support improvements** -Antrea [supports Windows K8s Node](docs/windows.md) since version 0.7.0. -However, a few features including: Egress, NodePortLocal, IPsec encryption are -not supported for Windows Node yet. We will continue to add more features for -Windows, and improve Antrea Agent and OVS installation on Windows Nodes. - -* **Antrea NetworkPolicy enhancements** -Antrea added support for [Antrea-native policies](docs/antrea-network-policy.md) -in addition to K8s NetworkPolicy since version 0.8.0, and already supports -Antrea (Namespace scoped) NetworkPolicy, ClusterNetworkPolicy, ClusterGroup, -Tier, and features including traffic statistics, traffic logging, policy -realization status, `Drop` and `Reject` actions, policy priority, `AppliedTo` -at rule level, Namespace isolation, FQDN and Service as egress rule destination. -We will continue to add more advanced NetworkPolicy features. - -* **Network diagnostics and observability** -Network diagnostics and observability is one area we want to focus on. Antrea -already implements some useful features on this front, including the [Antrea -UI](https://github.com/antrea-io/antrea-ui), [CLI](docs/antctl.md), -[Traceflow](docs/traceflow-guide.md), [network flow export and -visualization](docs/network-flow-visibility.md), [Prometheus -metrics](docs/prometheus-integration.md), [OVS flow -dumping](docs/antctl.md#dumping-ovs-flows) and [packet -tracing](docs/antctl.md#ovs-packet-tracing), [NetworkPolicy -diagnostics](docs/antctl.md#networkpolicy-commands). We will continue to enhance -existing features and add new features to help diagnose K8s networking and -NetworkPolicy implementation, and to provide good visibility into the Antrea -network. - -* **NFV and Telco use cases** -We plan to explore and provide support for NFV and Telco use cases. We will add -native Pod multi-interface support in Antrea, and support Pod interfaces on -SRIOV devices, OVS DPDK bridge, overlay network, and Network Service Chaining. - -* **L7 security policy and visibility** -Enhance Antrea to provide application level security and visibility to K8s -workloads. This includes extending Antrea-native NetworkPolicies to support L7 / -application protocols (HTTP, DNS, etc.), and extending Antrea diagnostics and -observability features to get into application level visibility. - -* **Multi-cluster networking** -We would extend Antrea from CNI of a single Kubernetes cluster to multi-cluster -networking, and implement multi-cluster features like multi-cluster Services, -cross-cluster connectivity, multi-cluster NetworkPolicies. Antrea multi-cluster -functionalities are under active development. Check the [Antrea Multi-cluster -user guide](docs/multicluster/user-guide.md) to learn what features are already -supported. - -* **Analytics** -With the network flows exported by Antrea, we plan to further build an analytics -solution that consumes the network flows, and provides traffic analysis, -NetworkPolicy recommendation, security and network performance monitoring. We -already started a sub-project of Antrea - [Theia](https://github.com/antrea-io/theia) - -for network flow visibility and analytics. Stay tunned! - -* **K8s Node security** -So far Antrea focuses on K8s Pod networking and security, but we would like to -extend Antrea-native NetworkPolicies to cover protection of K8s Nodes too. - -* **NetworkPolicy scale and performance tests** -Evaluate and benchmark the NetworkPolicy implementation performance at a large -scale, including the policy computation performance of Antrea Controller and the -OVS datapath performance. - -* **OVS with DPDK or AF_XDP** -Leverage OVS with DPDK or AF_XDP for high performance. +## Roadmap Items + +### Antrea v2 + +Antrea [version 2](https://github.com/antrea-io/antrea/issues/4832) is coming in +2024. We are graduating some popular features to Beta or GA, deprecating some +legacy APIs, droppping support for old K8s versions (< 1.19) to improve support +for newer ones, and more! This is a big milestone for the project, stay tuned! + +### K8s Node security + +So far Antrea has focused on K8s Pod networking and security, but we would like +to extend Antrea-native NetworkPolicies to cover protection of K8s Nodes +too. There is ongoing work for this, so expect this feature very soon! + +### Quality of life improvements for installation and upgrade + +We have a few things planned to improve basic usability: + +* provide separate container images for the Agent and Controller: this will + reduce image size and speed up deployment of new Antrea versions. +* support for installation and upgrade using the antctl CLI: this will provide + an alternative installation method and antctl will ensure that Antrea + components are upgraded in the right order to minimize workload disruption. +* CLI tools to facilitate migration from another CNI: we will take care of + provisioning the correct network resources for your existing workloads. + +### Core networking features + +We are currently working on supporting VLAN tagging for Egress traffic. In the +long term, we plan to add BGP support to the Antrea Agent, as it is a much +requested feature. + +### Windows support improvements + +Antrea [supports Windows K8s Nodes](docs/windows.md). However, a few features +including: Egress, NodePortLocal, IPsec encryption are not supported for Windows +yet. We will continue to add more features for Windows (starting with Egress) +and aim for feature parity with Linux. We encourage users to reach out if they +would like us to prioritize a specific feature. While the installation procedure +has improved significantly since we first added Windows support, we plan to keep +on streamlining the procedure (more automation) and on improving the user +documentation. + +### More robust FQDN support in Antrea NetworkPolicy + +Antrea provides a comprehensive network policy model, which builds upon +Kubernetes Network Policies and provides many additional capabilities. One of +them is the ability to define policy rules using domain names (FQDNs). We think +there is some room to improve user experience with this feature, and we are +working on making it more stable. + +### Implementation of new upstream NetworkPolicy APIs + +[SIG Network](https://github.com/kubernetes/community/tree/master/sig-network) +is working on [new standard APIs](https://network-policy-api.sigs.k8s.io/) to +extend the base K8s NetworkPolicy resource. We are closely monitoring the +upstream work and implementing these APIs as their development matures. + +### Better network troubleshooting with packet capture + +Antrea comes with many tools for network diagnostics and observability. You may +already be familiar with Traceflow, which lets you trace a single packet through +the Antrea network. We plan on also providing users with the ability to capture +live traffic and export it in PCAP format. Think tcpdump, but for K8s and +through a dedicated Antrea API! + +### Multi-network support for Pods + +We recently added the SecondaryNetwork feature, which supports provisioning +additional networks for Pods, using the same constructs made popular by +[Multus](https://github.com/k8snetworkplumbingwg/multus-cni). However, at the +moment, options for network "types" are limited. We plan on supporting new uses +cases (e.g., secondary network overlays, network acceleration with DPDK), as +well as on improving user experience for this feature (with some useful +documentation). + +### L7 security policy + +Support for L7 NetworkPolicies was added in version 1.10, providing the ability +to select traffic based on the application-layer context. However, the feature +currently only supports HTTP traffic, and we plan to extend support to other +protocols, such as DNS. + +### Multi-cluster networking + +Antrea can federate multiple K8s clusters, but this feature (introduced in +version 1.7) is still considered Alpha today. Most of the functionality is +already there (multi-cluster Services, cross-cluster connectivity, +and multi-cluster NetworkPolicies), but we think there is some room for +improvement when it comes to stability and usability. + +### NetworkPolicy scale and performance tests + +We are working on a framework to empower contributors and users to benchmark the +performance of Antrea at scale. + +### Investigate better integration with service meshes + +As service meshes start introducing alternatives to the sidecar approach, +we believe there is an opportunity to improve the synergy between the K8s +network plugin and the service mesh provider. In particular, we are looking at +how Antrea can integrate with the new Istio ambient data plane mode. Take a look +at [#5682](https://github.com/antrea-io/antrea/issues/5682) for more +information. + +### Investigate multiple replicas for the Controller + +While today the Antrea Controller can scale to 1000s of K8s Nodes and 100,000 +Pods, and failover to a new replica in case of failure can happen in under a +minute, we believe we should still investigate the possibility of deploying +multiple replicas for the Controller (Active-Active or Active-Standby), to +enable horizontal scaling and achieve high-availability with very quick +failover. Horizontal scaling could help reduce the memory footprint of each +Controller instance for very large K8s clusters. From 8865220768b96cf7823fb291d850e264b4225228 Mon Sep 17 00:00:00 2001 From: Antonin Bas Date: Mon, 18 Dec 2023 14:05:05 -0800 Subject: [PATCH 2/3] Address review comments Signed-off-by: Antonin Bas --- README.md | 2 +- ROADMAP.md | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index d1b22c23678..2024aa191c7 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,7 @@ Also check out [@ProjectAntrea](https://twitter.com/ProjectAntrea) on Twitter! Kubernetes Nodes. * **Multi-cluster networking**: Federate multiple K8s clusters and benefit from a unified data plane (including multi-cluster Services) and a unified security - posture. Refer to the [multi-cluster documentation](docs/multicluster/user-guide.md) + posture. Refer to the [Antrea Multi-cluster documentation](docs/multicluster/user-guide.md) to get started. * **Troubleshooting and monitoring tools**: Antrea comes with CLI and UI tools which provide visibility and diagnostics capabilities (packet tracing, policy diff --git a/ROADMAP.md b/ROADMAP.md index bb749e10e43..bacc55dd031 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -14,7 +14,7 @@ features. Reach us through Issues, Slack and / or Google Group! Antrea [version 2](https://github.com/antrea-io/antrea/issues/4832) is coming in 2024. We are graduating some popular features to Beta or GA, deprecating some -legacy APIs, droppping support for old K8s versions (< 1.19) to improve support +legacy APIs, dropping support for old K8s versions (< 1.19) to improve support for newer ones, and more! This is a big milestone for the project, stay tuned! ### K8s Node security @@ -80,7 +80,7 @@ through a dedicated Antrea API! We recently added the SecondaryNetwork feature, which supports provisioning additional networks for Pods, using the same constructs made popular by [Multus](https://github.com/k8snetworkplumbingwg/multus-cni). However, at the -moment, options for network "types" are limited. We plan on supporting new uses +moment, options for network "types" are limited. We plan on supporting new use cases (e.g., secondary network overlays, network acceleration with DPDK), as well as on improving user experience for this feature (with some useful documentation). @@ -89,8 +89,8 @@ documentation). Support for L7 NetworkPolicies was added in version 1.10, providing the ability to select traffic based on the application-layer context. However, the feature -currently only supports HTTP traffic, and we plan to extend support to other -protocols, such as DNS. +currently only supports HTTP and TLS traffic, and we plan to extend support to +other protocols, such as DNS. ### Multi-cluster networking From 6e0b97efe18ca3a837f1719b40a12da4e7b64c3e Mon Sep 17 00:00:00 2001 From: Antonin Bas Date: Mon, 18 Dec 2023 18:32:58 -0800 Subject: [PATCH 3/3] Address review comments Signed-off-by: Antonin Bas --- README.md | 6 +++--- ROADMAP.md | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 2024aa191c7..3d43290cb1a 100644 --- a/README.md +++ b/README.md @@ -94,9 +94,9 @@ Also check out [@ProjectAntrea](https://twitter.com/ProjectAntrea) on Twitter! * **Windows Node support**: Thanks to the portability of Open vSwitch, Antrea can use the same data plane implementation on both Linux and Windows Kubernetes Nodes. -* **Multi-cluster networking**: Federate multiple K8s clusters and benefit from - a unified data plane (including multi-cluster Services) and a unified security - posture. Refer to the [Antrea Multi-cluster documentation](docs/multicluster/user-guide.md) +* **Multi-cluster networking**: Federate multiple Kubernetes clusters and + benefit from a unified data plane (including multi-cluster Services) and a + unified security posture. Refer to the [Antrea Multi-cluster documentation](docs/multicluster/user-guide.md) to get started. * **Troubleshooting and monitoring tools**: Antrea comes with CLI and UI tools which provide visibility and diagnostics capabilities (packet tracing, policy diff --git a/ROADMAP.md b/ROADMAP.md index bacc55dd031..e831599c6d9 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -54,11 +54,11 @@ documentation. ### More robust FQDN support in Antrea NetworkPolicy -Antrea provides a comprehensive network policy model, which builds upon -Kubernetes Network Policies and provides many additional capabilities. One of -them is the ability to define policy rules using domain names (FQDNs). We think -there is some room to improve user experience with this feature, and we are -working on making it more stable. +Antrea provides a comprehensive network policy model, which builds upon K8s +Network Policies and provides many additional capabilities. One of them is the +ability to define policy rules using domain names (FQDNs). We think there is +some room to improve user experience with this feature, and we are working on +making it more stable. ### Implementation of new upstream NetworkPolicy APIs