Manual Installation

Overview

There are four components which need to be deployed in order to run Antrea:

  • The OpenVSwitch daemons ovs-vswitchd and ovsdb-server

  • The controller antrea-controller

  • The agent antrea-agent

  • The CNI plugin antrea-cni

Instructions

Prior to bringing up the individual components, follow the common steps:

  • Ensure Go v1.15 is installed

  • Git clone your forked Antrea repository and cd into the antrea directory

    1. git clone https://github.com/$user/antrea
    2. cd antrea

  • Build the binaries for all components under bin directory

    1. make bin

OpenVSwitch

Open vSwitch >= 2.8.0 userspace daemon ovs-vswitchd and ovsdb-server should run on all worker nodes. See Installing Open vSwitch for details.

antrea-controller

antrea-controller is required to implement Kubernetes Network Policies. At any time, there should be only a single active replica of antrea-controller.

  1. Grant the antrea-controller ServiceAccount necessary permissions to Kubernetes APIs. You can apply controller-rbac.yaml to do it.

    1. kubectl apply -f build/yamls/base/controller-rbac.yml

  2. Create the kubeconfig file that contains the K8s APIServer endpoint and the token of ServiceAccount created in the above step. See Configure Access to Multiple Clusters for more information.

    1. APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
    2. TOKEN=$(kubectl get secrets -n kube-system -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='antrea-controller')].data.token}"|base64 --decode)
    3. kubectl config --kubeconfig=antrea-controller.kubeconfig set-cluster kubernetes --server=$APISERVER --insecure-skip-tls-verify
    4. kubectl config --kubeconfig=antrea-controller.kubeconfig set-credentials antrea-controller --token=$TOKEN
    5. kubectl config --kubeconfig=antrea-controller.kubeconfig set-context antrea-controller@kubernetes --cluster=kubernetes --user=antrea-controller
    6. kubectl config --kubeconfig=antrea-controller.kubeconfig use-context antrea-controller@kubernetes

  3. Create the antrea-controller config file, see Configuration for details.

    1. cat >antrea-controller.conf <<EOF
    2. clientConnection:
    3.   kubeconfig: antrea-controller.kubeconfig
    4. EOF

  4. Start antrea-controller.

    1. bin/antrea-controller --config antrea-controller.conf

antrea-agent

antrea-agent must run all worker nodes.

  1. Grant the antrea-agent ServiceAccount necessary permissions to Kubernetes APIs. You can apply agent-rbac.yaml to do it.

    1. kubectl apply -f build/yamls/base/agent-rbac.yml

  2. Create the kubeconfig file that contains the K8s APIServer endpoint and the token of ServiceAccount created in the above step. See Configure Access to Multiple Clusters for more information.

    1. APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
    2. TOKEN=$(kubectl get secrets -n kube-system -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='antrea-agent')].data.token}"|base64 --decode)
    3. kubectl config --kubeconfig=antrea-agent.kubeconfig set-cluster kubernetes --server=$APISERVER --insecure-skip-tls-verify
    4. kubectl config --kubeconfig=antrea-agent.kubeconfig set-credentials antrea-agent --token=$TOKEN
    5. kubectl config --kubeconfig=antrea-agent.kubeconfig set-context antrea-agent@kubernetes --cluster=kubernetes --user=antrea-agent
    6. kubectl config --kubeconfig=antrea-agent.kubeconfig use-context antrea-agent@kubernetes

  3. Create the kubeconfig file that contains the antrea-controller APIServer endpoint and the token of ServiceAccount created in the above step.

    1. # Change it to the correct endpoint if you are running antrea-controller somewhere else.
    2. ANTREA_APISERVER=https://localhost
    3. TOKEN=$(kubectl get secrets -n kube-system -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='antrea-agent')].data.token}"|base64 --decode)
    4. kubectl config --kubeconfig=antrea-agent.antrea.kubeconfig set-cluster antrea --server=$ANTREA_APISERVER --insecure-skip-tls-verify
    5. kubectl config --kubeconfig=antrea-agent.antrea.kubeconfig set-credentials antrea-agent --token=$TOKEN
    6. kubectl config --kubeconfig=antrea-agent.antrea.kubeconfig set-context antrea-agent@antrea --cluster=antrea --user=antrea-agent
    7. kubectl config --kubeconfig=antrea-agent.antrea.kubeconfig use-context antrea-agent@antrea

  4. Create the antrea-agent config file, see Configuration for details.

    1. cat >antrea-agent.conf <<EOF
    2. clientConnection:
    3.   kubeconfig: antrea-agent.kubeconfig
    4. antreaClientConnection:
    5.   kubeconfig: antrea-agent.antrea.kubeconfig
    6. hostProcPathPrefix: "/"
    7. EOF

  5. Start antrea-agent.

    1. bin/antrea-agent --config antrea-agent.conf

antrea-cni

antrea-cni should be installed on all worker nodes.

  1. Create the cni config file on all worker nodes.

    1. mkdir -p /etc/cni/net.d
    3. cat >/etc/cni/net.d/10-antrea.conflist <<EOF
    4. {
    5.   "cniVersion":"0.3.0",
    6.   "name": "antrea",
    7.   "plugins": [
    8.     {
    9.       "type": "antrea",
    10.       "ipam": {
    11.         "type": "host-local"
    12.       }
    13.     },
    14.     {
    15.       "type": "portmap",
    16.       "capabilities": {"portMappings": true}
    17.     },
    18.     {
    19.       "type": "bandwidth",
    20.       "capabilities": {"bandwidth": true}
    21.     }
    22.   ]
    23. }
    24. EOF

  2. Install antrea-cni to /opt/cni/bin/antrea.

    1. cp bin/antrea-cni /opt/cni/bin/antrea