openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 21:46:22 +01:00
Code Issues Releases Activity

OCPBUGS-26172 configuring the master interface in the container network namespace example2

Browse Source
This commit is contained in:
Kevin Quinn
2024-01-09 16:20:43 +00:00
committed by openshift-cherrypick-robot
parent 24e2f6224f
commit 2ee658d7c9
4 changed files with 481 additions and 253 deletions
Download Patch File Download Diff File Expand all files Collapse all files

254
modules/nw-about-configuring-master-interface-container.adoc
View File

@@ -11,256 +11,4 @@ In {product-title} 4.14 and later, the ability to allow users to create a MAC-VL
This feature allows you to create the master interfaces as part of the pod network configuration in a separate network attachment definition. You can then base the VLAN, MACVLAN, or IPVLAN on this interface without requiring the knowledge of the network configuration of the node.
To ensure the use of a container namespace master interface specify the `linkInContainer` and set the value to `true` in the VLAN, MACVLAN, or IPVLAN plugin configuration depending on the particular type of additional network.
An example use case for utilizing this feature is to create multiple VLANs based on SR-IOV VFs. To do so, begin by creating an SR-IOV network and then define the network attachments for the VLAN interfaces.
The following example shows how to configure the setup illustrated in this diagram.
.Creating VLANs
image::345_OpenShift_config_additional_network_0823.png[Creating VLANs]
.Prerequisites
* You installed the OpenShift CLI (`oc`).
* You have access to the cluster as a user with the `cluster-admin` role.
* You have installed the SR-IOV Network Operator.
.Procedure
. Create a dedicated container namespace where you want to deploy your pod by using the following command:
+
[source,terminal]
----
$ oc new-project test-namespace
----
. Create an SR-IOV node policy:
.. Create an `SriovNetworkNodePolicy` object, and then save the YAML in the `sriov-node-network-policy.yaml` file:
+
[source,yaml]
----
apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetworkNodePolicy
metadata:
name: sriovnic
namespace: openshift-sriov-network-operator
spec:
deviceType: netdevice
isRdma: false
needVhostNet: true
nicSelector:
vendor: "15b3" <1>
deviceID: "101b" <2>
rootDevices: ["00:05.0"]
numVfs: 10
priority: 99
resourceName: sriovnic
nodeSelector:
feature.node.kubernetes.io/network-sriov.capable: "true"
----
+
[NOTE]
====
The SR-IOV network node policy configuration example, with the setting `deviceType: netdevice`, is tailored specifically for Mellanox Network Interface Cards (NICs).
====
+
<1> The vendor hexadecimal code of the SR-IOV network device. The value `15b3` is associated with a Mellanox NIC.
<2> The device hexadecimal code of the SR-IOV network device.
.. Apply the YAML by running the following command:
+
[source,terminal]
----
$ oc apply -f sriov-node-network-policy.yaml
----
+
[NOTE]
====
Applying this might take some time due to the node requiring a reboot.
====
. Create an SR-IOV network:
.. Create the `SriovNetwork` custom resource (CR) for the additional SR-IOV network attachment as in the following example CR. Save the YAML as the file `sriov-network-attachment.yaml`:
+
[source,yaml]
----
apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetwork
metadata:
name: sriov-network
namespace: openshift-sriov-network-operator
spec:
networkNamespace: test-namespace
resourceName: sriovnic
spoofChk: "off"
trust: "on"
----
.. Apply the YAML by running the following command:
+
[source,terminal]
----
$ oc apply -f sriov-network-attachment.yaml
----
. Create a YAML file for the VLAN additional network configuration and then save the YAML in the `vlan100-additional-network-configuration.yaml` file:
+
[source,yaml]
----
apiVersion: k8s.cni.cncf.io/v1
kind: NetworkAttachmentDefinition
metadata:
name: vlan-100
namespace: test-namespace
spec:
config: |
{
"cniVersion": "0.4.0",
"name": "vlan-100",
"plugins": [
{
"type": "vlan",
"master": "ext0", <1>
"mtu": 1500,
"vlanId": 100,
"linkInContainer": true, <2>
"ipam": {"type": "whereabouts", "ipRanges": [{"range": "1.1.1.0/24"}]}
}
]
}
----
+
<1> The VLAN configuration needs to specify the master name. This can be configured in the pod networks annotation.
<2> The `linkInContainer` parameter must be specified.
. Apply the YAML by running the following command:
+
[source,terminal]
----
$ oc apply -f vlan100-additional-network-configuration.yaml
----
. Create a pod definition by using the earlier specified networks and then save the YAML in the `pod-a.yaml` file.
+
[NOTE]
====
The manifest below includes 2 resources:
* Namespace with security labels
* Pod definition with appropriate network annotation
====
+
[source,yaml]
----
apiVersion: v1
kind: Namespace
metadata:
name: test-namespace
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged
security.openshift.io/scc.podSecurityLabelSync: "false"
---
apiVersion: v1
kind: Pod
metadata:
name: nginx-pod
namespace: test-namespace
annotations:
k8s.v1.cni.cncf.io/networks: '[
{
"name": "sriov-network",
"namespace": "test-namespace",
"interface": "ext0" <1>
},
{
"name": "vlan-100",
"namespace": "test-namespace",
"interface": "ext0.100"
}
]'
spec:
securityContext:
runAsNonRoot: true
containers:
- name: nginx-container
image: nginxinc/nginx-unprivileged:latest
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
ports:
- containerPort: 80
seccompProfile:
type: "RuntimeDefault"
----
+
<1> The name to be used as the master for the VLAN interface.
. Apply the YAML by running the following command:
+
[source,terminal]
----
$ oc apply -f pod-a.yaml
----
. Get detailed information about the `nginx-pod` within the `test-namespace` by running the following command:
+
[source,terminal]
----
$ oc describe pods nginx-pod -n test-namespace
----
+
.Expected output
+
[source,terminal]
----
Name: nginx-pod
Namespace: test-namespace
Priority: 0
Node: worker-1/10.46.186.105
Start Time: Mon, 14 Aug 2023 16:23:13 -0400
Labels: <none>
Annotations: k8s.ovn.org/pod-networks:
{"default":{"ip_addresses":["10.131.0.26/23"],"mac_address":"0a:58:0a:83:00:1a","gateway_ips":["10.131.0.1"],"routes":[{"dest":"10.128.0.0...
k8s.v1.cni.cncf.io/network-status:
[{
"name": "ovn-kubernetes",
"interface": "eth0",
"ips": [
"10.131.0.26"
],
"mac": "0a:58:0a:83:00:1a",
"default": true,
"dns": {}
},{
"name": "test-namespace/sriov-network",
"interface": "ext0",
"mac": "6e:a7:5e:3f:49:1b",
"dns": {},
"device-info": {
"type": "pci",
"version": "1.0.0",
"pci": {
"pci-address": "0000:d8:00.2"
}
}
},{
"name": "test-namespace/vlan-100",
"interface": "ext0.100",
"ips": [
"1.1.1.1"
],
"mac": "6e:a7:5e:3f:49:1b",
"dns": {}
}]
k8s.v1.cni.cncf.io/networks:
[ { "name": "sriov-network", "namespace": "test-namespace", "interface": "ext0" }, { "name": "vlan-100", "namespace": "test-namespace", "i...
openshift.io/scc: privileged
Status: Running
IP: 10.131.0.26
IPs:
IP: 10.131.0.26
----
To ensure the use of a container namespace master interface, specify the `linkInContainer` and set the value to `true` in the VLAN, MACVLAN, or IPVLAN plugin configuration depending on the particular type of additional network.

213
modules/nw-multus-create-master-interface-bridge-cni.adoc Normal file
View File

@@ -0,0 +1,213 @@
// Module included in the following assemblies:
//
// * networking/multiple_networks/configuring-additional-network.adoc
:_mod-docs-content-type: PROCEDURE
[id="nw-multus-create-master-interface-bridge-cni_{context}"]
= Creating a subinterface based on a bridge master interface in a container namespace
Creating a subinterface can be applied to other types of interfaces. Follow this procedure to create a subinterface based on a bridge master interface in a container namespace.
.Prerequisites
* You have installed the OpenShift CLI (`oc`).
* You are logged in to the {product-title} cluster as a user with `cluster-admin` privileges.
.Procedure
. Create a dedicated container namespace where you want to deploy your pod by running the following command:
+
[source,terminal]
----
$ oc new-project test-namespace
----
. Using the following YAML example, create a bridge `NetworkAttachmentDefinition` custom resource (CR) file named `bridge-nad.yaml`:
+
[source,yaml]
----
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: bridge-network
spec:
config: '{
"cniVersion": "0.4.0",
"name": "bridge-network",
"type": "bridge",
"bridge": "br-001",
"isGateway": true,
"ipMasq": true,
"hairpinMode": true,
"ipam": {
"type": "host-local",
"subnet": "10.0.0.0/24",
"routes": [{"dst": "0.0.0.0/0"}]
}
}'
----
. Run the following command to apply the `NetworkAttachmentDefinition` CR to your {product-title} cluster:
+
[source,terminal]
----
$ oc apply -f bridge-nad.yaml
----
. Verify that the `NetworkAttachmentDefinition` CR has been created successfully by running the following command:
+
[source,terminal]
----
$ oc get network-attachment-definitions
----
+
.Example output
[source,terminal]
----
NAME AGE
bridge-network 15s
----
. Using the following YAML example, create a file named `ipvlan-additional-network-configuration.yaml` for the IPVLAN additional network configuration:
+
[source,yaml]
----
apiVersion: k8s.cni.cncf.io/v1
kind: NetworkAttachmentDefinition
metadata:
name: ipvlan-net
namespace: test-namespace
spec:
config: '{
"cniVersion": "0.3.1",
"name": "ipvlan-net",
"type": "ipvlan",
"master": "ext0", <1>
"mode": "l3",
"linkInContainer": true, <2>
"ipam": {"type": "whereabouts", "ipRanges": [{"range": "10.0.0.0/24"}]}
}'
----
+
<1> Specifies the ethernet interface to associate with the network attachment. This is subsequently configured in the pod networks annotation.
<2> Specifies that the master interface is in the container network namespace.
. Apply the YAML file by running the following command:
+
[source,terminal]
----
$ oc apply -f ipvlan-additional-network-configuration.yaml
----
. Verify that the `NetworkAttachmentDefinition` CR has been created successfully by running the following command:
+
[source,terminal]
----
$ oc get network-attachment-definitions
----
+
.Example output
[source,terminal]
----
NAME AGE
bridge-network 87s
ipvlan-net 9s
----
. Using the following YAML example, create a file named `pod-a.yaml` for the pod definition:
+
[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
name: pod-a
namespace: test-namespace
annotations:
k8s.v1.cni.cncf.io/networks: '[
{
"name": "bridge-network",
"interface": "ext0" <1>
},
{
"name": "ipvlan-net",
"interface": "ext1"
}
]'
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: test-pod
image: quay.io/openshifttest/hello-sdn@sha256:c89445416459e7adea9a5a416b3365ed3d74f2491beb904d61dc8d1eb89a72a4
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: [ALL]
----
+
<1> Specifies the name to be used as the master for the IPVLAN interface.
. Apply the YAML file by running the following command:
+
[source,terminal]
----
$ oc apply -f pod-a.yaml
----
. Verify that the pod is running by using the following command:
+
[source,terminal]
----
$ oc get pod -n test-namespace
----
+
.Example output
+
[source,terminal]
----
NAME READY STATUS RESTARTS AGE
pod-a 1/1 Running 0 2m36s
----
. Show network interface information about the `pod-a` resource within the `test-namespace` by running the following command:
+
[source,terminal]
----
$ oc exec -n test-namespace pod-a -- ip a
----
+
.Example output
+
[source,terminal]
----
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: eth0@if105: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue state UP group default
link/ether 0a:58:0a:d9:00:5d brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.217.0.93/23 brd 10.217.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::488b:91ff:fe84:a94b/64 scope link
valid_lft forever preferred_lft forever
4: ext0@if107: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether be:da:bd:7e:f4:37 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.0.2/24 brd 10.0.0.255 scope global ext0
valid_lft forever preferred_lft forever
inet6 fe80::bcda:bdff:fe7e:f437/64 scope link
valid_lft forever preferred_lft forever
5: ext1@ext0: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
link/ether be:da:bd:7e:f4:37 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/24 brd 10.0.0.255 scope global ext1
valid_lft forever preferred_lft forever
inet6 fe80::beda:bd00:17e:f437/64 scope link
valid_lft forever preferred_lft forever
----
+
This output shows that the network interface `ext1` is associated with the physical interface `ext0`.

263
modules/nw-multus-create-multiple-vlans-sriov.adoc Normal file
View File

@@ -0,0 +1,263 @@
// Module included in the following assemblies:
//
// * networking/multiple_networks/configuring-additional-network.adoc
:_mod-docs-content-type: PROCEDURE
[id="nw-multus-create-multiple-vlans-sriov_{context}"]
= Creating multiple VLANs on SR-IOV VFs
An example use case for utilizing this feature is to create multiple VLANs based on SR-IOV VFs. To do so, begin by creating an SR-IOV network and then define the network attachments for the VLAN interfaces.
The following example shows how to configure the setup illustrated in this diagram.
.Creating VLANs
image::345_OpenShift_config_additional_network_0823.png[Creating VLANs]
.Prerequisites
* You installed the OpenShift CLI (`oc`).
* You have access to the cluster as a user with the `cluster-admin` role.
* You have installed the SR-IOV Network Operator.
.Procedure
. Create a dedicated container namespace where you want to deploy your pod by using the following command:
+
[source,terminal]
----
$ oc new-project test-namespace
----
. Create an SR-IOV node policy:
.. Create an `SriovNetworkNodePolicy` object, and then save the YAML in the `sriov-node-network-policy.yaml` file:
+
[source,yaml]
----
apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetworkNodePolicy
metadata:
name: sriovnic
namespace: openshift-sriov-network-operator
spec:
deviceType: netdevice
isRdma: false
needVhostNet: true
nicSelector:
vendor: "15b3" <1>
deviceID: "101b" <2>
rootDevices: ["00:05.0"]
numVfs: 10
priority: 99
resourceName: sriovnic
nodeSelector:
feature.node.kubernetes.io/network-sriov.capable: "true"
----
+
[NOTE]
====
The SR-IOV network node policy configuration example, with the setting `deviceType: netdevice`, is tailored specifically for Mellanox Network Interface Cards (NICs).
====
+
<1> The vendor hexadecimal code of the SR-IOV network device. The value `15b3` is associated with a Mellanox NIC.
<2> The device hexadecimal code of the SR-IOV network device.
.. Apply the YAML by running the following command:
+
[source,terminal]
----
$ oc apply -f sriov-node-network-policy.yaml
----
+
[NOTE]
====
Applying this might take some time due to the node requiring a reboot.
====
. Create an SR-IOV network:
.. Create the `SriovNetwork` custom resource (CR) for the additional SR-IOV network attachment as in the following example CR. Save the YAML as the file `sriov-network-attachment.yaml`:
+
[source,yaml]
----
apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetwork
metadata:
name: sriov-network
namespace: openshift-sriov-network-operator
spec:
networkNamespace: test-namespace
resourceName: sriovnic
spoofChk: "off"
trust: "on"
----
.. Apply the YAML by running the following command:
+
[source,terminal]
----
$ oc apply -f sriov-network-attachment.yaml
----
. Create the VLAN additional network:
.. Using the following YAML example, create a file named `ipvlan100-additional-network-configuration.yaml`:
+
[source,yaml]
----
apiVersion: k8s.cni.cncf.io/v1
kind: NetworkAttachmentDefinition
metadata:
name: vlan-100
namespace: test-namespace
spec:
config: |
{
"cniVersion": "0.4.0",
"name": "vlan-100",
"plugins": [
{
"type": "vlan",
"master": "ext0", <1>
"mtu": 1500,
"vlanId": 100,
"linkInContainer": true, <2>
"ipam": {"type": "whereabouts", "ipRanges": [{"range": "1.1.1.0/24"}]}
}
]
}
----
+
<1> The VLAN configuration needs to specify the master name. This can be configured in the pod networks annotation.
<2> The `linkInContainer` parameter must be specified.
.. Apply the YAML file by running the following command:
+
[source,terminal]
----
$ oc apply -f vlan100-additional-network-configuration.yaml
----
. Create a pod definition by using the earlier specified networks:
.. Using the following YAML example, create a file named `pod-a.yaml` file:
+
[NOTE]
====
The manifest below includes 2 resources:
* Namespace with security labels
* Pod definition with appropriate network annotation
====
+
[source,yaml]
----
apiVersion: v1
kind: Namespace
metadata:
name: test-namespace
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged
security.openshift.io/scc.podSecurityLabelSync: "false"
---
apiVersion: v1
kind: Pod
metadata:
name: nginx-pod
namespace: test-namespace
annotations:
k8s.v1.cni.cncf.io/networks: '[
{
"name": "sriov-network",
"namespace": "test-namespace",
"interface": "ext0" <1>
},
{
"name": "vlan-100",
"namespace": "test-namespace",
"interface": "ext0.100"
}
]'
spec:
securityContext:
runAsNonRoot: true
containers:
- name: nginx-container
image: nginxinc/nginx-unprivileged:latest
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
ports:
- containerPort: 80
seccompProfile:
type: "RuntimeDefault"
----
+
<1> The name to be used as the master for the VLAN interface.
.. Apply the YAML file by running the following command:
+
[source,terminal]
----
$ oc apply -f pod-a.yaml
----
. Get detailed information about the `nginx-pod` within the `test-namespace` by running the following command:
+
[source,terminal]
----
$ oc describe pods nginx-pod -n test-namespace
----
+
.Example output
+
[source,terminal]
----
Name: nginx-pod
Namespace: test-namespace
Priority: 0
Node: worker-1/10.46.186.105
Start Time: Mon, 14 Aug 2023 16:23:13 -0400
Labels: <none>
Annotations: k8s.ovn.org/pod-networks:
{"default":{"ip_addresses":["10.131.0.26/23"],"mac_address":"0a:58:0a:83:00:1a","gateway_ips":["10.131.0.1"],"routes":[{"dest":"10.128.0.0...
k8s.v1.cni.cncf.io/network-status:
[{
"name": "ovn-kubernetes",
"interface": "eth0",
"ips": [
"10.131.0.26"
],
"mac": "0a:58:0a:83:00:1a",
"default": true,
"dns": {}
},{
"name": "test-namespace/sriov-network",
"interface": "ext0",
"mac": "6e:a7:5e:3f:49:1b",
"dns": {},
"device-info": {
"type": "pci",
"version": "1.0.0",
"pci": {
"pci-address": "0000:d8:00.2"
}
}
},{
"name": "test-namespace/vlan-100",
"interface": "ext0.100",
"ips": [
"1.1.1.1"
],
"mac": "6e:a7:5e:3f:49:1b",
"dns": {}
}]
k8s.v1.cni.cncf.io/networks:
[ { "name": "sriov-network", "namespace": "test-namespace", "interface": "ext0" }, { "name": "vlan-100", "namespace": "test-namespace", "i...
openshift.io/scc: privileged
Status: Running
IP: 10.131.0.26
IPs:
IP: 10.131.0.26
----

4
networking/multiple_networks/configuring-additional-network.adoc
View File

@@ -179,3 +179,7 @@ include::modules/nw-multus-create-network.adoc[leveloffset=+1]
include::modules/nw-multus-create-network-apply.adoc[leveloffset=+1]
include::modules/nw-about-configuring-master-interface-container.adoc[leveloffset=+1]
include::modules/nw-multus-create-multiple-vlans-sriov.adoc[leveloffset=+2]
include::modules/nw-multus-create-master-interface-bridge-cni.adoc[leveloffset=+2]