Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started
Networking 2020

Antrea 0.1: Open vSwitch CNI for Kubernetes

K8s Guru
4 min read
#antrea #ovs #openvswitch #cni #kubernetes #vmware #release-0-1
Antrea 0.1: Open vSwitch CNI for Kubernetes

Table of Contents

Introduction

On May 20, 2020, VMware released Antrea 0.1, the first version of an Open vSwitch (OVS)-based Container Network Interface (CNI) plugin for Kubernetes. Built on OVS, Antrea provides advanced networking features including network policies, service proxy, and integration with VMware’s cloud-native stack.

While Cilium and Calico dominated the CNI landscape, Antrea brought something different: the maturity and feature set of Open vSwitch, a battle-tested virtual switch used in OpenStack and SDN environments. For teams already familiar with OVS or running VMware infrastructure, Antrea offered a familiar networking model with Kubernetes-native integration.

Why Antrea?

  • Open vSwitch Foundation: Leverages OVS, a mature virtual switch with extensive feature set.
  • VMware Integration: Native integration with VMware vSphere and NSX-T for hybrid cloud deployments.
  • Advanced Features: Network policies, service proxy, and traffic monitoring in a single CNI.
  • Performance: OVS kernel datapath provides high-performance packet processing.

Core Architecture

  • Antrea Agent: Runs as a DaemonSet on each node, managing OVS switches and network policies.
  • Antrea Controller: Centralized control plane managing network policies and service discovery.
  • Open vSwitch: Handles packet forwarding, flow tables, and network policy enforcement.
  • OVS Kernel Datapath: Fast-path packet processing in the Linux kernel for performance.

Key Features

  1. Network Policies: Kubernetes NetworkPolicy enforcement using OVS flow rules.
  2. Service Proxy: Replaces kube-proxy with OVS-based load balancing.
  3. Traffic Monitoring: Flow-based monitoring and metrics export.
  4. IPAM: Automatic IP address management for pods and services.
  5. Encryption: IPsec-based encryption for pod-to-pod traffic.

Getting Started

Install Antrea:

kubectl apply -f https://raw.githubusercontent.com/vmware-tanzu/antrea/main/build/yamls/antrea.yml

Verify installation:

kubectl get pods -n kube-system -l app=antrea

Check Antrea agent status:

kubectl logs -n kube-system -l app=antrea-agent

Network Policy Enforcement

Antrea implements Kubernetes NetworkPolicy using OVS flow rules:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: web-allow-app
spec:
  podSelector:
    matchLabels:
      app: web
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: app
    ports:
    - protocol: TCP
      port: 8080

Antrea translates this into OVS flow rules that enforce the policy at the data plane level.

Service Proxy

Antrea can replace kube-proxy with OVS-based load balancing:

  • Flow-Based Load Balancing: Uses OVS flows to distribute traffic across service endpoints.
  • Session Affinity: Supports sticky sessions using OVS connection tracking.
  • Performance: OVS kernel datapath provides efficient packet processing.

VMware Integration

  • vSphere Integration: Antrea works seamlessly with VMware vSphere for hybrid deployments.
  • NSX-T Integration: Can integrate with NSX-T for advanced networking features.
  • Tanzu Kubernetes Grid: Antrea is the default CNI for VMware Tanzu Kubernetes Grid.

Comparison with Other CNIs

FeatureAntreaCalicoCilium
FoundationOVSBGP/iptableseBPF
Network PolicyOVS flowsiptables/eBPFeBPF
Service ProxyOVSkube-proxyeBPF
VMware IntegrationNativeLimitedLimited
PerformanceHighHighVery High

Use Cases

  • VMware Environments: Teams running VMware infrastructure benefit from native integration.
  • OpenStack Users: Organizations familiar with OVS can leverage existing expertise.
  • Hybrid Cloud: Antrea’s VMware integration simplifies hybrid cloud networking.
  • Network Policies: Teams needing advanced network policy features with OVS performance.

Operational Considerations

  • OVS Learning Curve: Teams unfamiliar with OVS may need training.
  • Resource Usage: OVS adds some overhead; monitor CPU and memory usage.
  • Troubleshooting: OVS flow debugging requires understanding OVS tools (ovs-ofctl, ovs-vsctl).
  • Upgrade Strategy: Antrea upgrades require careful coordination; test in non-production first.

Common Patterns

  • Network Policy Enforcement: Use Antrea’s NetworkPolicy support for micro-segmentation.
  • Service Load Balancing: Replace kube-proxy with Antrea’s OVS-based service proxy.
  • Traffic Monitoring: Use Antrea’s flow monitoring for network visibility.
  • Hybrid Deployments: Integrate Antrea with VMware vSphere for hybrid cloud networking.

Limitations (0.1)

  • Early Software: 0.1 is an initial release; expect API changes and feature additions.
  • OVS Dependency: Requires OVS kernel modules; may not work on all Linux distributions.
  • Documentation: Early documentation may be incomplete; rely on examples and community.
  • Ecosystem: Fewer third-party integrations compared to Calico or Cilium.

Looking Ahead

Antrea 0.1 established the foundation for:

  • Performance Improvements: Continued OVS optimizations and kernel datapath enhancements.
  • Advanced Features: Support for more network policy features and service mesh integration.
  • VMware Integration: Enhanced integration with VMware’s cloud-native stack.
  • CNCF Contribution: Antrea would later be contributed to CNCF.

Summary

AspectDetails
Release DateMay 20, 2020
Key InnovationsOVS-based CNI, VMware integration, unified networking and policy
SignificanceBrought Open vSwitch’s maturity to Kubernetes with VMware-native integration

Antrea 0.1 demonstrated that Open vSwitch’s proven networking capabilities could be applied to Kubernetes. By combining OVS’s feature set with Kubernetes-native APIs, it created a CNI option that appealed to teams with VMware infrastructure or OVS expertise, while providing advanced networking features out of the box.