Mastering Antrea: A High‑Performance Kubernetes CNI Plugin Guide

Kubernetes has become the standard container orchestration platform, and networking is a critical component of any cluster. This article provides a comprehensive overview of the Antrea CNI plugin, including its concepts, advantages and disadvantages, typical use cases, and step‑by‑step installation and testing procedures.

1. Basic Introduction

In Kubernetes, network plugins—also called Container Network Interface (CNI) plugins—enable communication between containers. Common CNI plugins include Flannel, Calico, Weave Net, Cilium, Canal, Antrea, and kube‑router, each with its own strengths and suitable scenarios.

2. Antrea Overview

Antrea is an open‑source CNI plugin built on Open vSwitch (OVS). It offers high performance, network policy enforcement, service proxying, and observability. Its core concepts are:

CNI plugin : manages pod network interfaces and implements the Kubernetes network model.

Open vSwitch (OVS) : the data‑plane virtual switch that forwards packets.

Network policy : allows fine‑grained traffic control between pods.

Service proxy : enables Kubernetes services to reach backend pods without exposing pod IPs.

2.1 Advantages

Lightweight and low resource consumption.

Easy configuration with simple YAML files.

High performance thanks to efficient data structures and OVS.

Supports multiple protocols (TCP, UDP, etc.).

Extensible via rich APIs.

Provides observability similar to Calico.

2.2 Disadvantages

Feature set is smaller than more mature plugins.

Community support and documentation are still growing.

Initial setup can be complex for beginners.

Relies on OVS, which may add extra complexity.

2.3 Typical Use Cases

Micro‑service architectures requiring service discovery and load balancing.

Containerized deployments needing reliable pod‑to‑pod communication.

Edge computing scenarios with high‑performance networking.

Large‑scale clusters where performance is critical.

Multi‑tenant environments that need precise network policies.

Observability requirements for troubleshooting and performance tuning.

3. Installation and Usage

Follow these steps to install Antrea:

Download the Antrea YAML file.

Edit the YAML to match your cluster topology.

Apply the YAML with kubectl apply -f antrea.yml.

Wait for the Antrea controller and agent pods to be in the Running state.

Configure network policies as needed.

Test the setup.

3.1 Download Antrea YAML

curl -O https://raw.githubusercontent.com/vmware-tanzu/antrea/main/build/yamls/antrea.yml

3.2 Edit the YAML

apiVersion: operator.antrea.io/v1alpha1
kind: AntreaCluster
metadata:
  name: antrea-cluster
spec:
  defaultAntreaAgent: {}
  controller:
    service:
      type: LoadBalancer
    networkPolicy:
      enable: true
  agent:
    logLevel: info
    ovs:
      bridgeName: br-int
    podCIDR: 192.168.0.0/16

3.3 Apply the YAML

kubectl apply -f antrea.yml

3.4 Verify Installation

kubectl get pods -n kube-system | grep antrea

When the antrea-agent and antrea-controller pods show Running, the installation is complete.

3.5 Configure a Network Policy

Create a NetworkPolicy object to control pod traffic, for example to deny communication between two Nginx deployments.

3.6 Test the Policy

Deploy two Nginx pods in a test namespace, apply the policy, and attempt to curl from one pod to the other. A timeout indicates the policy is effective.

# Create a temporary pod for testing
kubectl run -i --tty --rm debug --image=nginx --namespace=test-namespace
# Inside the pod, try to reach the other pod
curl <IP_OF_NGINX_DEPLOYMENT_2_POD>

If the policy works, the command will fail with a connection timeout.