Antctl

    • “controller mode”: when run out-of-cluster or from within the Antrea Controller Pod, antctl can connect to the Antrea Controller and query information from it (e.g. the set of computed NetworkPolicies).
    • “agent mode”: when run from within an Antrea Agent Pod, antctl can connect to the Antrea Agent and query information local to that Agent (e.g. the set of computed NetworkPolicies received by that Agent from the Antrea Controller, as opposed to the entire set of computed policies).
    • “flowaggregator mode”: when run from within a Flow Aggregator Pod, antctl can connect to the Flow Aggregator and query information from it (e.g. flow records related statistics).

    The antctl binary is included in the Antrea Docker image () which means that there is no need to install anything to connect to the Antrea Agent. Simply exec into the antrea-agent container for the appropriate antrea-agent Pod and run antctl:

    Starting with Antrea release v0.5.0, we publish the antctl binaries for different OS / CPU Architecture combinations. Head to the and download the appropriate one for your machine. For example:

    On Mac & Linux:

    1. curl -Lo ./antctl "https://github.com/antrea-io/antrea/releases/download/<TAG>/antctl-$(uname)-x86_64"
    2. chmod +x ./antctl
    3. mv ./antctl /some-dir-in-your-PATH/antctl
    4. antctl version

    For Linux, we also publish binaries for Arm-based systems.

    On Windows, using PowerShell:

    1. Invoke-WebRequest -Uri https://github.com/antrea-io/antrea/releases/download/<TAG>/antctl-windows-x86_64.exe -Outfile antctl.exe
    2. Move-Item .\antctl.exe c:\some-dir-in-your-PATH\antctl.exe
    3. antctl version

    To see the list of available commands and options, run antctl help. The list will be different based on whether you are connecting to the Antrea Controller or Agent.

    When running out-of-cluster (“controller mode” only), antctl will look for your kubeconfig file at $HOME/.kube/config by default. You can select a different one by setting the KUBECONFIG environment variable or with --kubeconfig (the latter taking precedence over the former).

    The following sub-sections introduce a few commands which are useful for troubleshooting the Antrea system.

    Starting from version 0.10.0, Antrea supports showing or changing the log verbosity level of Antrea Controller or Antrea Agent using the antctl log-level command. Starting from version 1.5, Antrea supports showing or changing the log verbosity level of the Flow Aggregator using the antctl log-level command. The command can only run locally inside the antrea-controller, antrea-agent or flow-aggregator container.

    The following command prints the current log verbosity level:

    1. antctl log-level

    This command updates the log verbosity level (the LEVEL argument must be an integer):

    1. antctl log-level LEVEL

    Showing feature gates status

    The feature gates of Antrea Controller and Agent can be shown using the antctl get featuregates command. The command can run locally inside the antrea-controller or antrea-agent container or out-of-cluster, when it is running out-of-cluster or in Controller Pod, it will print both Controller and Agent’s feature gates list.

    The following command prints the current feature gates:

    1. antctl get featuregates

    Collecting support information

    Starting with version 0.7.0, Antrea supports the antctl supportbundle command, which can collect information from the cluster, the Antrea Controller and all Antrea agents. This information is useful when trying to troubleshoot issues in Kubernetes clusters using Antrea. In particular, when running the command out-of-cluster, all the information can be collected under one single directory, which you can upload and share when reporting issues on Github. Simply run the command as follows:

    1. antctl supportbundle [-d TARGET_DIR]

    If you omit to provide a directory, antctl will create one in the current working directory, using the current timestamp as a suffix. The command also provides additional flags to filter the results: run antctl supportbundle --help for the full list.

    The collected support bundle will include the following (more information may be included over time):

    • cluster information: description of the different K8s resources in the cluster (Nodes, Deployments, etc.).
    • Antrea Controller information: all the available logs (contents will vary based on the verbosity selected when running the controller) and state stored at the controller (e.g. computed NetworkPolicy objects).
    • Antrea Agent information: all the available logs from the agent and the OVS daemons, network configuration of the Node (e.g. routes, iptables rules, OVS flows) and state stored at the agent (e.g. computed NetworkPolicy objects received from the controller).

    Be aware that the generated support bundle includes a lot of information, including logs, so please review the contents of the directory before sharing it on Github and ensure that you do not share anything sensitive.

    The antctl supportbundle command can also be run inside a Controller or Agent Pod, in which case only local information will be collected.

    Since v1.10.0, Antrea also supports collecting information by applying a SupportBundleCollection CRD, you can refer to the support bundle guide for more information.

    controllerinfo and agentinfo commands

    1. antctl get controllerinfo
    2. antctl get agentinfo

    Both Antrea Controller and Agent support querying the NetworkPolicy objects in the Antrea control plane API. The source of a control plane NetworkPolicy is the original policy resource (K8s NetworkPolicy or Antrea-native Policy) from which the control plane NetworkPolicy was derived.

    • antctl get networkpolicy (or get netpol) command can print all NetworkPolicies, a specified NetworkPolicy, or NetworkPolicies in a specified Namespace.
    • get appliedtogroup (or get atg) command can print all NetworkPolicy AppliedToGroups (AppliedToGroup includes the Pods to which a NetworkPolicy is applied), or a specified AppliedToGroup.
    • get addressgroup (or get ag) command can print all NetworkPolicy AddressGroups (AddressGroup defines source or destination addresses of NetworkPolicy rules), or a specified AddressGroup.

    Using the json or yaml antctl output format can print more information of NetworkPolicy, AppliedToGroup, and AddressGroup, than using the default table output format. The NAME of a control plane NetworkPolicy is the UID of its source NetworkPolicy.

    1. antctl get networkpolicy [NAME] [-n NAMESPACE] [-o yaml]
    2. antctl get appliedtogroup [NAME] [-o yaml]
    3. antctl get addressgroup [NAME] [-o yaml]

    NetworkPolicy also supports sort-by=effectivePriority option, which can be used to view the effective order in which the NetworkPolicies are evaluated. Antrea-native NetworkPolicy ordering is documented .

    Antrea Agent supports some extra antctl commands.

    • Printing NetworkPolicies applied to a specific local Pod.

      1. antctl get networkpolicy -p POD -n NAMESPACE
    • Printing NetworkPolicies with a specific source NetworkPolicy type.

      1. antctl get networkpolicy -T (K8sNP|ACNP|ANP)
    • Printing NetworkPolicies with a specific source NetworkPolicy name.

      1. antctl get networkpolicy -S SOURCE_NAME [-n NAMESPACE]

    Mapping endpoints to NetworkPolicies

    antctl supports mapping a specific Pod to the NetworkPolicies which “select” this Pod, either because they apply to the Pod directly or because one of their policy rules selects the Pod.

    1. antctl query endpoint -p POD [-n NAMESPACE]

    If no Namespace is provided with -n, the command will default to the “default” Namespace.

    This command only works in “controller mode” and as of now it can only be run from inside the Antrea Controller Pod, and not from out-of-cluster.

    Dumping Pod network interface information

    antctl agent command get podinterface (or get pi) can dump network interface information of all local Pods, or a specified local Pod, or local Pods in the specified Namespace, or local Pods matching the specified Pod name.

    1. antctl get podinterface [NAME] [-n NAMESPACE]

    Dumping OVS flows

    Starting from version 0.6.0, Antrea Agent supports dumping Antrea OVS flows. The antctl get ovsflows (or get of) command can dump all OVS flows, flows added for a specified Pod, or flows added for Service load-balancing of a specified Service, or flows added to realize a specified NetworkPolicy, or flows in the specified OVS flow tables, or all or the specified OVS groups.

    1. antctl get ovsflows
    2. antctl get ovsflows -p POD -n NAMESPACE
    3. antctl get ovsflows -N NETWORKPOLICY -n NAMESPACE
    4. antctl get ovsflows -T TABLE_A,TABLE_B
    5. antctl get ovsflows -T TABLE_A,TABLE_B_NUM
    6. antctl get ovsflows -G all
    7. antctl get ovsflows -G GROUP_ID1,GROUP_ID2

    OVS flow tables can be specified using table names, or the table numbers. antctl get ovsflow --help lists all Antrea flow tables. For more information about Antrea OVS pipeline and flows, please refer to the .

    Example outputs of dumping Pod and NetworkPolicy OVS flows:

    1. # Dump OVS flows of Pod "coredns-6955765f44-zcbwj"
    2. $ antctl get of -p coredns-6955765f44-zcbwj -n kube-system
    3. FLOW
    4. table=classification, n_packets=513122, n_bytes=42615080, priority=190,in_port="coredns--d0c58e" actions=set_field:0x2/0xffff->reg0,resubmit(,10)
    5. table=10, n_packets=513122, n_bytes=42615080, priority=200,ip,in_port="coredns--d0c58e",dl_src=52:bd:c6:e0:eb:c1,nw_src=172.100.1.7 actions=resubmit(,30)
    6. table=10, n_packets=0, n_bytes=0, priority=200,arp,in_port="coredns--d0c58e",arp_spa=172.100.1.7,arp_sha=52:bd:c6:e0:eb:c1 actions=resubmit(,20)
    7. table=80, n_packets=556468, n_bytes=166477824, priority=200,dl_dst=52:bd:c6:e0:eb:c1 actions=load:0x5->NXM_NX_REG1[],set_field:0x10000/0x10000->reg0,resubmit(,90)
    8. table=70, n_packets=0, n_bytes=0, priority=200,ip,dl_dst=aa:bb:cc:dd:ee:ff,nw_dst=172.100.1.7 actions=set_field:62:39:b4:e8:05:76->eth_src,set_field:52:bd:c6:e0:eb:c1->eth_dst,dec_ttl,resubmit(,80)
    9. # Get NetworkPolicies applied to Pod "coredns-6955765f44-zcbwj"
    10. $ antctl get netpol -p coredns-6955765f44-zcbwj -n kube-system
    11. kube-system kube-dns 160ea6d7-0234-5d1d-8ea0-b703d0aa3b46 1
    12. # Dump OVS flows of NetworkPolicy "kube-dns"
    13. $ antctl get of -N kube-dns -n kube-system
    14. FLOW
    15. table=90, n_packets=0, n_bytes=0, priority=190,conj_id=1,ip actions=resubmit(,105)
    16. table=90, n_packets=0, n_bytes=0, priority=200,ip actions=conjunction(1,1/3)
    17. table=90, n_packets=0, n_bytes=0, priority=200,ip,reg1=0x5 actions=conjunction(2,2/3),conjunction(1,2/3)
    18. table=90, n_packets=0, n_bytes=0, priority=200,udp,tp_dst=53 actions=conjunction(1,3/3)
    19. table=90, n_packets=0, n_bytes=0, priority=200,tcp,tp_dst=53 actions=conjunction(1,3/3)
    20. table=90, n_packets=0, n_bytes=0, priority=200,tcp,tp_dst=9153 actions=conjunction(1,3/3)
    21. table=100, n_packets=0, n_bytes=0, priority=200,ip,reg1=0x5 actions=drop

    OVS packet tracing

    Starting from version 0.7.0, Antrea Agent supports tracing the OVS flows that a specified packet traverses, leveraging the .

    antctl trace-packet command starts a packet tracing operation. antctl help trace-packet shows the usage of the command. This section lists a few trace-packet command examples.

    1. # Trace an IP packet between two Pods
    2. antctl trace-packet -S ns1/pod1 -D ns2/pod2
    3. # Trace a Service request from a local Pod
    4. antctl trace-packet -S ns1/pod1 -D ns2/svc2 -f "tcp,tcp_dst=80"
    5. # Trace the Service reply packet (assuming "ns2/pod2" is the Service backend Pod)
    6. antctl trace-packet -D ns1/pod1 -S ns2/pod2 -f "tcp,tcp_src=80"
    7. # Trace an IP packet from a Pod to gateway port
    8. antctl trace-packet -S ns1/pod1 -D antrea-gw0
    9. # Trace a UDP packet from a Pod to an IP address
    10. antctl trace-packet -S ns1/pod1 -D 10.1.2.3 -f udp,udp_dst=1234
    11. # Trace a UDP packet from an IP address to a Pod
    12. antctl trace-packet -D ns1/pod1 -S 10.1.2.3 -f udp,udp_src=1234
    13. # Trace an ARP request from a local Pod
    14. antctl trace-packet -p ns1/pod1 -f arp,arp_spa=10.1.2.3,arp_sha=00:11:22:33:44:55,arp_tpa=10.1.2.1,dl_dst=ff:ff:ff:ff:ff:ff

    Example outputs of tracing a UDP (DNS request) packet from a remote Pod to a local (coredns) Pod:

    antctl traceflow (or antctl tf) command is used to start a Traceflow and retrieve its result. After the result is collected, the Traceflow will be deleted. Users can also create a Traceflow with kubectl, but antctl traceflow offers a simpler way. For more information about Traceflow, refer to the .

    To start a regular Traceflow, both --source (or -S) and --destination (or -D) arguments must be specified, and the source must be a Pod. For example:

    1. $ antctl tf -S busybox0 -D busybox1
    2. name: busybox0-to-busybox1-fpllngzi
    3. phase: Succeeded
    4. source: default/busybox0
    5. destination: default/busybox1
    6. results:
    7. - node: antrea-linux-testbed7-1
    8. timestamp: 1596435607
    9. observations:
    10. - component: SpoofGuard
    11. action: Forwarded
    12. - component: Forwarding
    13. componentInfo: Output
    14. action: Delivered

    The --flow (or -f) argument can be used to specify the Traceflow packet headers with the ovs-ofctl flow syntax. The supported flow fields include: IP family (ipv6 to indicate an IPv6 packet), IP protocol (icmp, icmpv6, tcp, udp), source and destination ports (tcp_src, tcp_dst, udp_src, udp_dst), and TCP flags (tcp_flags).

    By default, the command will wait for the Traceflow to succeed or fail, or timeout. The default timeout is 10 seconds, but can be changed with the --timeout (or -t) argument. Add the --no-wait flag to start a Traceflow without waiting for its results. In this case, the command will not delete the Traceflow resource. The traceflow command supports yaml and json output.

    More examples of antctl traceflow:

    1. # Start a Traceflow from pod1 to pod2, both Pods are in Namespace default
    2. $ antctl traceflow -S pod1 -D pod2
    3. # Start a Traceflow from pod1 in Namepace ns1 to a destination IP
    4. $ antctl traceflow -S ns1/pod1 -D 123.123.123.123
    5. # Start a Traceflow from pod1 to Service svc1 in Namespace ns1
    6. $ antctl traceflow -S pod1 -D ns1/svc1 -f tcp,tcp_dst=80
    7. # Start a Traceflow from pod1 to pod2, with a UDP packet to destination port 1234
    8. $ antctl traceflow -S pod1 -D pod2 -f udp,udp_dst=1234
    9. # Start a Traceflow for live TCP traffic from pod1 to svc1, with 1 minute timeout
    10. $ antctl traceflow -S pod1 -D svc1 -f tcp --live-traffic -t 1m
    11. # Start a Traceflow to capture the first dropped TCP packet to pod1 on port 80, within 10 minutes
    12. $ antctl traceflow -D pod1 -f tcp,tcp_dst=80 --live-traffic --dropped-only -t 10m

    Antctl Proxy

    Antctl can run as a reverse proxy for the Antrea API (Controller or arbitrary Agent). Usage is very similar to kubectl proxy and the implementation is essentially the same.

    To run a reverse proxy for the Antrea Controller API, use:

    1. antctl proxy --controller

    To run a reverse proxy for the Antrea Agent API for the antrea-agent Pod running on Node <TARGET_NODE>, use:

    1. antctl proxy --agent-node

    You can then access the API at . To implement this functionality, antctl retrieves the Node IP address and API server port for the Antrea Controller or for the specified Agent from the K8s API, and it proxies all the requests received on 127.0.0.1:8001 directly to that IP / port. One thing to keep in mind is that the TLS connection between the proxy and the Antrea Agent or Controller will not be secure (no certificate verification), and the proxy should be used for debugging only.

    To see the full list of supported options, run antctl proxy --help.

    This feature is useful if one wants to use the Go pprof tool to collect runtime profiling data about the Antrea components. Please refer to this for more information.

    Flow Aggregator commands

    antctl supports dumping the flow records handled by the Flow Aggregator, and printing metrics about flow record processing. These commands are only available when you exec into the Flow Aggregator Pod.

    Dumping flow records

    antctl supports dumping flow records stored in the Flow Aggregator. The antctl get flowrecords command can dump all matching flow records. It supports the 5-tuple flow key or a subset of the 5-tuple as a filter. A 5-tuple flow key contains Source IP, Destination IP, Source Port, Destination Port and Transport Protocol. If the filter is empty, all flow records will be dumped.

    The command provides a compact display of the flow records in the default table output format, which contains the flow key, source pod name, destination pod name, source pod namespace, destination pod namespace and destination service name for each flow record. Using the json or yaml antctl output format will include output flow record information in a structured format, and will include more information about each flow record. antctl get flowrecords --help shows the usage of the command. This section lists a few dumping flow records command examples.

    1. # Get the list of all flow records
    2. antctl get flowrecords
    3. # Get the list of flow records with a complete filter and output in json format
    4. # Get the list of flow records with a partial filter, e.g. source address and source port
    5. antctl get flowrecords --srcip 10.0.0.1 --srcport 1234

    Example outputs of dumping flow records:

    1. $ antctl get flowrecords --srcip 10.10.1.4 --dstip 10.10.0.2
    2. SRC_IP DST_IP SPORT DPORT PROTO SRC_POD DST_POD SRC_NS DST_NS SERVICE
    3. 10.10.1.4 10.10.0.2 38581 53 17 flow-aggregator-67dc8ddfc8-zx8sg coredns-78fcd69978-7vc6k flow-aggregator kube-system kube-system/kube-dns:dns
    4. 10.10.1.4 10.10.0.2 56505 53 17 flow-aggregator-67dc8ddfc8-zx8sg coredns-78fcd69978-7vc6k flow-aggregator kube-system kube-system/kube-dns:dns
    5. $ antctl get flowrecords --srcip 10.10.0.1 --srcport 50497 -o json
    6. [
    7. {
    8. "destinationClusterIPv4": "0.0.0.0",
    9. "destinationIPv4Address": "10.10.1.2",
    10. "destinationNodeName": "k8s-node-worker-1",
    11. "destinationPodName": "coredns-78fcd69978-x2twv",
    12. "destinationPodNamespace": "kube-system",
    13. "destinationServicePort": 0,
    14. "destinationServicePortName": "",
    15. "destinationTransportPort": 53,
    16. "egressNetworkPolicyName": "",
    17. "egressNetworkPolicyNamespace": "",
    18. "egressNetworkPolicyRuleAction": 0,
    19. "egressNetworkPolicyRuleName": "",
    20. "egressNetworkPolicyType": 0,
    21. "flowEndReason": 3,
    22. "flowEndSeconds": 1635546893,
    23. "flowStartSeconds": 1635546867,
    24. "flowType": 2,
    25. "ingressNetworkPolicyName": "",
    26. "ingressNetworkPolicyNamespace": "",
    27. "ingressNetworkPolicyRuleAction": 0,
    28. "ingressNetworkPolicyRuleName": "",
    29. "ingressNetworkPolicyType": 0,
    30. "octetDeltaCount": 99,
    31. "octetDeltaCountFromDestinationNode": 99,
    32. "octetDeltaCountFromSourceNode": 0,
    33. "octetTotalCount": 99,
    34. "octetTotalCountFromDestinationNode": 99,
    35. "octetTotalCountFromSourceNode": 0,
    36. "packetDeltaCount": 1,
    37. "packetDeltaCountFromDestinationNode": 1,
    38. "packetDeltaCountFromSourceNode": 0,
    39. "packetTotalCount": 1,
    40. "packetTotalCountFromDestinationNode": 1,
    41. "packetTotalCountFromSourceNode": 0,
    42. "protocolIdentifier": 17,
    43. "reverseOctetDeltaCount": 192,
    44. "reverseOctetDeltaCountFromDestinationNode": 192,
    45. "reverseOctetDeltaCountFromSourceNode": 0,
    46. "reverseOctetTotalCount": 192,
    47. "reverseOctetTotalCountFromDestinationNode": 192,
    48. "reverseOctetTotalCountFromSourceNode": 0,
    49. "reversePacketDeltaCount": 1,
    50. "reversePacketDeltaCountFromDestinationNode": 1,
    51. "reversePacketDeltaCountFromSourceNode": 0,
    52. "reversePacketTotalCount": 1,
    53. "reversePacketTotalCountFromDestinationNode": 1,
    54. "reversePacketTotalCountFromSourceNode": 0,
    55. "sourceIPv4Address": "10.10.0.1",
    56. "sourceNodeName": "",
    57. "sourcePodName": "",
    58. "sourcePodNamespace": "",
    59. "sourceTransportPort": 50497,
    60. "tcpState": ""
    61. }
    62. ]

    Record metrics

    Flow Aggregator supports printing record metrics. The antctl get recordmetrics command can print all metrics related to the Flow Aggregator. The metrics include the following:

    • number of records received by the collector process in the Flow Aggregator
    • number of records exported by the Flow Aggregator
    • number of active flows that are being tracked
    • number of exporters connected to the Flow Aggregator

    Example outputs of record metrics:

    1. RECORDS-EXPORTED RECORDS-RECEIVED FLOWS EXPORTERS-CONNECTED
    2. 46 118 7 2

    Multi-cluster commands

    For information about Antrea Multi-cluster commands, please refer to the antctl Multi-cluster commands.

    The antctl get podmulticaststats [POD_NAME] [-n NAMESPACE] command prints inbound and outbound multicast statistics for each Pod. Note that IGMP packets are not counted.

    Example output of podmulticaststats:

    1. $ antctl get podmulticaststats
    2. NAMESPACE NAME INBOUND OUTBOUND
    3. testmulticast-vw7gx5b9 test3-sender-1 0 10

    Showing memberlist state

    antctl agent command get memberlist (or get ml) print the state of memberlist cluster of Antrea Agent.