Deploying Antrea on AKS and AKS Engine

    Antrea can be deployed to an AKS cluster in networkPolicyOnly mode, in which Antrea enforces NetworkPolicies and implements other services for the AKS cluster, while Azure CNI takes care of Pod IPAM and traffic routing across Nodes. For more information about networkPolicyOnly mode, refer to .

    Install the Azure Cloud CLI. Refer to

    You can use any method to create an AKS cluster. The example given here is using the Azure Cloud CLI.

    1. Create an AKS Cluster

      Note Do not specify network-policy option.

    2. Get AKS Cluster Credentials

      1. az aks get-credentials --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP_NAME
      1. kubectl get nodes
      2. NAME                                STATUS   ROLES   AGE     VERSION
      3. aks-nodepool1-84330359-vmss000000   Ready    agent   6m21s   v1.16.10
      4. aks-nodepool1-84330359-vmss000001   Ready    agent   6m25s   v1.16.10

    1. Deploy Antrea

      To deploy a released version of Antrea, pick a deployment manifest from the list of releases. Note that AKS support was added in release 0.9.0, which means you cannot pick a release older than 0.9.0. For any given release <TAG> (e.g. v0.9.0), you can deploy Antrea as follows:

      1. kubectl apply -f https://github.com/antrea-io/antrea/releases/download/<TAG>/antrea-aks.yml

      To deploy the latest version of Antrea (built from the main branch), use the checked-in :

      1. kubectl apply -f https://raw.githubusercontent.com/antrea-io/antrea/main/build/yamls/antrea-aks.yml

      The command will deploy a single replica of Antrea controller to the AKS cluster and deploy Antrea agent to every Node. After a successful deployment you should be able to see these Pods running in your cluster:

    2. Once Antrea is up and running, restart all Pods in all Namespaces (kube-system, etc) so they can be managed by Antrea.

      1. kubectl delete pods -n kube-system $(kubectl get pods -n kube-system -o custom-columns=NAME:.metadata.name,HOSTNETWORK:.spec.hostNetwork --no-headers=true | grep '<none>' | awk '{ print $1 }')
      2. pod "coredns-544d979687-96xm9" deleted
      3. pod "coredns-544d979687-p7dfb" deleted
      5. pod "dashboard-metrics-scraper-5f44bbb8b5-5qkkx" deleted
      6. pod "kube-proxy-6qxdw" deleted
      7. pod "kube-proxy-h6d89" deleted
      8. pod "kubernetes-dashboard-785654f667-7twsm" deleted
      9. pod "metrics-server-85c57978c6-pwzcx" deleted
      10. pod "tunnelfront-649ff5fb55-5lxg7" deleted

    Deploy Antrea to an AKS Engine cluster

    Antrea is an integrated CNI of AKS Engine, and can be installed in networkPolicyOnly mode or encap mode to an AKS Engine cluster as part of the AKS Engine cluster deployment. To learn basics of AKS Engine cluster deployment, please refer to .

    To configure Antrea to enforce NetworkPolicies for the AKS Engine cluster, "networkPolicy": "antrea" needs to be set in kubernetesConfig of the AKS Engine cluster definition (Azure CNI will be used as the networkPlugin):

    1.   "apiVersion": "vlabs",
    2.     "orchestratorProfile": {
    3.       "kubernetesConfig": {
    4.         "networkPolicy": "antrea"
    6.     }
    7.   }

    You can use the deployment template to deploy an AKS Engine cluster with Antrea in networkPolicyOnly mode:

    To deploy Antrea in encap mode for an AKS Engine cluster, both "networkPlugin": "antrea" and "networkPolicy": "antrea" need to be set in kubernetesConfig of the AKS Engine cluster definition:

    1.   "apiVersion": "vlabs",
    2.   "properties": {
    3.     "orchestratorProfile": {
    4.       "kubernetesConfig": {
    5.         "networkPlugin": "antrea",
    6.         "networkPolicy": "antrea"
    7.       }
    8.     }
    9.   }

    You can add to the deployment template , and use the template to deploy an AKS Engine cluster with Antrea in encap mode.