VMware’s Antrea Brings Programmable Networks to Kubernetes

VMware’s Project Antrea has recently reached two milestones with the release of version 1.0 and its becoming a Cloud Native Computing Foundation Sandbox project as the CNCF and its engagement with the open source community continue to bear fruit.
After the day’s events at KubeCon + CloudNativeCon Europe on May 5, VMware staff engineers Antonin Bas and Jianjun Shen, discussed what is new about the Kubernetes networking and security tool Antrea and showed some of its features during a demo during the “Project Antrea and KubeCon EU Recap: A Look into the Project’s Maintainers with VMware” livestream. The New Stack founder and publisher Alex Williams and editorial and marketing director Libby Clark hosted the livestream.
Antrea’s 1.0 release and its becoming a Sandbox project serve as a “testimony to all of our partners in the last 18 months,” Bas said. “I think that really marks our desire and shows our commitment to the project, and we are confident that the project is now stable enough for production use.”
Maintaining a close relationship with the open source community has also been important, Shen said, in order to help attract “community support and more users and developers.”
The idea is also to “increase synergy with the other CNCF projects” Bas said. “I think it’s important for CNCF projects to maintain that synergy and a great way for users to have a centralized place where they can [better navigate] the Kubernetes and cloud native landscape,” Bas explained.
The software, released in November 2019, serves as a Container Network Interface (CNI) and Kubernetes NetworkPolicy for any Kubernetes cluster, regardless of its source. Built on Open vSwitch (OVS), the original project team realized before its release that there was not a CNCF project for a CNI plugin.
“Things have changed since then, but at the time, we really wanted to put Antrea out there as a CNI plugin to become a CNCF Sandbox project. That’s what kick started that,” Bas said.
The programmability of the OVS has been conducive for implementing networking and other features, Bas said. It also facilitates “troubleshooting covering “everything from basic Layer 3 connectivity to Layer 4 load balancing,” Bas said.
Antrea 1.0 main features include “cluster-wide” security policies and policy tiering, Egress-policy control, improved observability and diagnostics, and encryption.
For multiple tenants that share a cluster, each tenant has a designated namespace, while it is also possible to “prevent cross namespace traffic in order to isolate tenants — unless it is necessary for your applications,” Bas said.
For network latency, for example, it is possible to observe traffic between services and determine bandwidth distribution in order to “figure out if someone is hogging bandwidth in your cluster,” Bas said.
Logging capabilities used to audit connections can reveal, for example, rejected and authorized connections and other data. Logs are also archived in a centralized location making it easier to observe and then block connections that might violate network policies.
View the full discussion here.