Increase the minimum supported Kubernetes version to 1.23 (#7564)

K8s 1.23 is the release where the IPv6DualStack feature gate became GA
and locked to true. By increasing the minimum supported version to 1.23,
we can assume that some dual-stack fields (e.g., spec.ipFamilies` for
Services) are always present and populated correctly.

K8s 1.23 is also the release were the EndpointSlice feature gate became
GA and locked to true.

Additionally, because NamespaceDefaultLabelName was removed in K8s 1.23,
we can furthermore remove some code / documentation that is no longer
needed. However, we do not drop support for `antrea.io/metadata.name`
(yet?) - we just stop mentioning it in the Antrea NetworkPolicy
documentation.

Note that K8s 1.23 was released at the end of 2021.

Signed-off-by: Antonin Bas <[email protected]>

Author: antoninbas

README.md

@@ -27,7 +27,7 @@ Network Policies in a very efficient manner.
 
 ## Prerequisites
 
-Antrea has been tested with Kubernetes clusters running version 1.19 or later.
+Antrea has been tested with Kubernetes clusters running version 1.23 or later.
 
 * `NodeIPAMController` must be enabled in the Kubernetes cluster.\
   When deploying a cluster with kubeadm the `--pod-network-cidr <cidr>`

build/charts/antrea/Chart.yaml

@@ -5,7 +5,7 @@ displayName: Antrea
 home: https://antrea.io/
 version: 0.0.0
 appVersion: latest
-kubeVersion: ">= 1.19.0-0"
+kubeVersion: ">= 1.23.0-0"
 icon: https://raw.githubusercontent.com/antrea-io/antrea/main/docs/assets/logo/antrea_logo.svg
 description: Kubernetes networking based on Open vSwitch
 keywords:

build/charts/antrea/README.md

@@ -12,7 +12,7 @@ Kubernetes networking based on Open vSwitch
 
 ## Requirements
 
-Kubernetes: `>= 1.19.0-0`
+Kubernetes: `>= 1.23.0-0`
 
 ## Values
 

build/charts/flow-aggregator/Chart.yaml

@@ -5,7 +5,7 @@ displayName: Antrea Flow Aggregator
 home: https://antrea.io/
 version: 0.0.0
 appVersion: latest
-kubeVersion: ">= 1.19.0-0"
+kubeVersion: ">= 1.23.0-0"
 icon: https://raw.githubusercontent.com/antrea-io/antrea/main/docs/assets/logo/antrea_logo.svg
 description: Antrea Flow Aggregator
 keywords:

build/charts/flow-aggregator/README.md

@@ -12,7 +12,7 @@ Antrea Flow Aggregator
 
 ## Requirements
 
-Kubernetes: `>= 1.19.0-0`
+Kubernetes: `>= 1.23.0-0`
 
 ## Values
 

ci/jenkins/test.sh

@@ -942,9 +942,6 @@ function redeploy_k8s_if_ip_mode_changes() {
         POD_SUBNET_STRING="${POD_SUBNET_IPV4},${POD_SUBNET_IPV6}"
         SERVICE_SUBNET_STRING="${SERVICE_SUBNET_IPV4},${SERVICE_SUBNET_IPV6}"
         ADVERTISE_ADDRESS_STRING=${CONTROL_PLANE_IPV4}
-        if [[ ${K8S_VERSION} =~ 1.19. ]] || [[ ${K8S_VERSION} =~ 1.20. ]]; then
-          FEATURE_GATES_STRING=`echo -e "featureGates:\n  IPv6DualStack: true"`
-        fi
         APISERVER_IP_STRING=${ADVERTISE_ADDRESS_STRING}
     fi
     cat <<EOF | tee ${WORKDIR}/kubeadm.conf

docs/antrea-network-policy.md

@@ -36,8 +36,6 @@
   - [Rule enforcement based on priorities](#rule-enforcement-based-on-priorities)
 - [Advanced peer selection mechanisms of Antrea-native Policies](#advanced-peer-selection-mechanisms-of-antrea-native-policies)
   - [Selecting Namespace by Name](#selecting-namespace-by-name)
-    - [K8s clusters with version 1.21 and above](#k8s-clusters-with-version-121-and-above)
-    - [K8s clusters with version 1.20 and below](#k8s-clusters-with-version-120-and-below)
   - [Selecting Pods in the same Namespace with Self](#selecting-pods-in-the-same-namespace-with-self)
   - [Selecting Namespaces with the same label values using SameLabels](#selecting-namespaces-with-the-same-label-values-using-samelabels)
   - [FQDN based filtering](#fqdn-based-filtering)
@@ -1171,11 +1169,8 @@ workloads from Namespaces with the use of a label selector (i.e. `namespaceSelec
 However, it is often desirable to be able to select Namespaces directly by their `name`
 as opposed to using the `labels` associated with the Namespaces.
 
-#### K8s clusters with version 1.21 and above
-
-Starting with K8s v1.21, all Namespaces are labeled with the `kubernetes.io/metadata.name: <namespaceName>`
-[label](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#automatic-labelling)
-provided that the `NamespaceDefaultLabelName` feature gate (enabled by default) is not disabled in K8s.
+Namespaces are labeled with the `kubernetes.io/metadata.name: <namespaceName>`
+[label](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#automatic-labelling).
 K8s NetworkPolicy and Antrea-native policy users can take advantage of this reserved label
 to select Namespaces directly by their `name` in `namespaceSelectors` as follows:
 
@@ -1207,83 +1202,8 @@ spec:
       name: AllowToCoreDNS
 ```
 
-**Note**: `NamespaceDefaultLabelName` feature gate is scheduled to be removed in K8s v1.24, thereby
-ensuring that labeling Namespaces by their name cannot be disabled.
-
-#### K8s clusters with version 1.20 and below
-
-In order to select Namespaces by name, Antrea labels Namespaces with a reserved label `antrea.io/metadata.name`,
-whose value is set to the Namespace's name. Users can then use this label in the
-`namespaceSelector` field, in both K8s NetworkPolicies and Antrea-native policies to
-select Namespaces by name. By default, Namespaces are not labeled with the reserved name label.
-In order for the Antrea controller to label the Namespaces, the `labelsmutator.antrea.io`
-`MutatingWebhookConfiguration` must be enabled. This can be done by applying the following
-webhook configuration YAML:
-
-```yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
-  # Do not edit this name.
-  name: "labelsmutator.antrea.io"
-  # Do not remove these labels.
-  labels:
-    app: antrea
-    served-by: antrea-controller
-webhooks:
-  - name: "namelabelmutator.antrea.io"
-    clientConfig:
-      service:
-        name: "antrea"
-        namespace: "kube-system"
-        path: "/mutate/namespace"
-    rules:
-      - operations: ["CREATE", "UPDATE"]
-        apiGroups: [""]
-        apiVersions: ["v1"]
-        resources: ["namespaces"]
-        scope: "Cluster"
-    admissionReviewVersions: ["v1", "v1beta1"]
-    sideEffects: None
-    timeoutSeconds: 5
-```
-
-**Note**: `antrea-controller` Pod must be restarted after applying this YAML.
-
-Once the webhook is configured, Antrea will start labeling all new and updated
-Namespaces with the `antrea.io/metadata.name: <namespaceName>` label. Users may now
-use this reserved label to select Namespaces by name as follows:
-
-```yaml
-apiVersion: crd.antrea.io/v1beta1
-kind: NetworkPolicy
-metadata:
-  name: test-annp-by-name
-  namespace: default
-spec:
-  priority: 5
-  tier: application
-  appliedTo:
-    - podSelector: {}
-  egress:
-    - action: Allow
-      to:
-        - podSelector:
-            matchLabels:
-              k8s-app: kube-dns
-          namespaceSelector:
-            matchLabels:
-              antrea.io/metadata.name: kube-system
-      ports:
-        - protocol: TCP
-          port: 53
-        - protocol: UDP
-          port: 53
-      name: AllowToCoreDNS
-```
-
 The above example allows all Pods from Namespace "default" to connect to all "kube-dns"
-Pods from Namespace "kube-system" on TCP port 53.
+Pods from Namespace "kube-system" on TCP port 53 and UDP port 53.
 
 ### Selecting Pods in the same Namespace with Self
 

docs/antrea-proxy.md

@@ -102,9 +102,7 @@ To remove kube-proxy from an existing cluster, you can use the following steps:
 # Delete the kube-proxy DaemonSet
 kubectl -n kube-system delete ds/kube-proxy
 # Delete the kube-proxy ConfigMap to prevent kube-proxy from being re-deployed
-# by kubeadm during "upgrade apply". This workaround will not take effect for
-# kubeadm versions older than v1.19 as the following patch is required:
-# https://github.com/kubernetes/kubernetes/pull/89593
+# by kubeadm during "upgrade apply".
 kubectl -n kube-system delete cm/kube-proxy
 # Delete existing kube-proxy rules; there are several options for doing that
 # Option 1 (if using kube-proxy in iptables mode), run the following on each Node:

multicluster/controllers/multicluster/member/labelidentity_controller.go

@@ -356,12 +356,6 @@ func (r *LabelIdentityReconciler) getLabelIdentityResourceExport(name, normalize
 }
 
 func GetNormalizedLabel(nsLabels, podLabels map[string]string, ns string) string {
-	if _, ok := nsLabels[v1.LabelMetadataName]; !ok {
-		// NamespaceDefaultLabelName is supported from K8s v1.21. For K8s versions before v1.21,
-		// we append the Namespace name label to the Namespace label set, so that the exported
-		// label is guaranteed to have Namespace name information.
-		nsLabels[v1.LabelMetadataName] = ns
-	}
 	return "ns:" + labels.Set(nsLabels).String() + "&pod:" + labels.Set(podLabels).String()
 }
 

multicluster/controllers/multicluster/member/labelidentity_controller_test.go

@@ -266,18 +266,11 @@ func TestGetNormalizedLabel(t *testing.T) {
 			map[string]string{v1.LabelMetadataName: "test-ns"},
 			"ns:kubernetes.io/metadata.name=test-ns&pod:purpose=test",
 		},
-		{
-			"no Namespace default name label",
-			"test-ns",
-			map[string]string{"purpose": "test"},
-			map[string]string{"region": "west"},
-			"ns:kubernetes.io/metadata.name=test-ns,region=west&pod:purpose=test",
-		},
 		{
 			"no Pod label",
 			"test-ns",
 			map[string]string{},
-			map[string]string{"region": "west"},
+			map[string]string{v1.LabelMetadataName: "test-ns", "region": "west"},
 			"ns:kubernetes.io/metadata.name=test-ns,region=west&pod:",
 		},
 	}