From 2ee658d7c9858dffb48e3926b9971d6d480cd0cf Mon Sep 17 00:00:00 2001 From: Kevin Quinn Date: Tue, 9 Jan 2024 16:20:43 +0000 Subject: [PATCH] OCPBUGS-26172 configuring the master interface in the container network namespace example2 --- ...onfiguring-master-interface-container.adoc | 254 +---------------- ...us-create-master-interface-bridge-cni.adoc | 213 ++++++++++++++ ...nw-multus-create-multiple-vlans-sriov.adoc | 263 ++++++++++++++++++ .../configuring-additional-network.adoc | 4 + 4 files changed, 481 insertions(+), 253 deletions(-) create mode 100644 modules/nw-multus-create-master-interface-bridge-cni.adoc create mode 100644 modules/nw-multus-create-multiple-vlans-sriov.adoc diff --git a/modules/nw-about-configuring-master-interface-container.adoc b/modules/nw-about-configuring-master-interface-container.adoc index b816a4af98..81fbef538d 100644 --- a/modules/nw-about-configuring-master-interface-container.adoc +++ b/modules/nw-about-configuring-master-interface-container.adoc @@ -11,256 +11,4 @@ In {product-title} 4.14 and later, the ability to allow users to create a MAC-VL This feature allows you to create the master interfaces as part of the pod network configuration in a separate network attachment definition. You can then base the VLAN, MACVLAN, or IPVLAN on this interface without requiring the knowledge of the network configuration of the node. -To ensure the use of a container namespace master interface specify the `linkInContainer` and set the value to `true` in the VLAN, MACVLAN, or IPVLAN plugin configuration depending on the particular type of additional network. - -An example use case for utilizing this feature is to create multiple VLANs based on SR-IOV VFs. To do so, begin by creating an SR-IOV network and then define the network attachments for the VLAN interfaces. - -The following example shows how to configure the setup illustrated in this diagram. - -.Creating VLANs -image::345_OpenShift_config_additional_network_0823.png[Creating VLANs] - -.Prerequisites -* You installed the OpenShift CLI (`oc`). -* You have access to the cluster as a user with the `cluster-admin` role. -* You have installed the SR-IOV Network Operator. - -.Procedure - -. Create a dedicated container namespace where you want to deploy your pod by using the following command: -+ -[source,terminal] ----- -$ oc new-project test-namespace ----- -. Create an SR-IOV node policy: - -.. Create an `SriovNetworkNodePolicy` object, and then save the YAML in the `sriov-node-network-policy.yaml` file: -+ -[source,yaml] ----- -apiVersion: sriovnetwork.openshift.io/v1 -kind: SriovNetworkNodePolicy -metadata: - name: sriovnic - namespace: openshift-sriov-network-operator -spec: - deviceType: netdevice - isRdma: false - needVhostNet: true - nicSelector: - vendor: "15b3" <1> - deviceID: "101b" <2> - rootDevices: ["00:05.0"] - numVfs: 10 - priority: 99 - resourceName: sriovnic - nodeSelector: - feature.node.kubernetes.io/network-sriov.capable: "true" ----- -+ -[NOTE] -==== -The SR-IOV network node policy configuration example, with the setting `deviceType: netdevice`, is tailored specifically for Mellanox Network Interface Cards (NICs). -==== -+ -<1> The vendor hexadecimal code of the SR-IOV network device. The value `15b3` is associated with a Mellanox NIC. -<2> The device hexadecimal code of the SR-IOV network device. - -.. Apply the YAML by running the following command: -+ -[source,terminal] ----- -$ oc apply -f sriov-node-network-policy.yaml ----- -+ -[NOTE] -==== -Applying this might take some time due to the node requiring a reboot. -==== - -. Create an SR-IOV network: - -.. Create the `SriovNetwork` custom resource (CR) for the additional SR-IOV network attachment as in the following example CR. Save the YAML as the file `sriov-network-attachment.yaml`: -+ -[source,yaml] ----- -apiVersion: sriovnetwork.openshift.io/v1 -kind: SriovNetwork -metadata: - name: sriov-network - namespace: openshift-sriov-network-operator -spec: - networkNamespace: test-namespace - resourceName: sriovnic - spoofChk: "off" - trust: "on" ----- - -.. Apply the YAML by running the following command: -+ -[source,terminal] ----- -$ oc apply -f sriov-network-attachment.yaml ----- - -. Create a YAML file for the VLAN additional network configuration and then save the YAML in the `vlan100-additional-network-configuration.yaml` file: -+ -[source,yaml] ----- -apiVersion: k8s.cni.cncf.io/v1 -kind: NetworkAttachmentDefinition -metadata: - name: vlan-100 - namespace: test-namespace -spec: - config: | - { - "cniVersion": "0.4.0", - "name": "vlan-100", - "plugins": [ - { - "type": "vlan", - "master": "ext0", <1> - "mtu": 1500, - "vlanId": 100, - "linkInContainer": true, <2> - "ipam": {"type": "whereabouts", "ipRanges": [{"range": "1.1.1.0/24"}]} - } - ] - } ----- -+ -<1> The VLAN configuration needs to specify the master name. This can be configured in the pod networks annotation. -<2> The `linkInContainer` parameter must be specified. - -. Apply the YAML by running the following command: -+ -[source,terminal] ----- -$ oc apply -f vlan100-additional-network-configuration.yaml ----- - -. Create a pod definition by using the earlier specified networks and then save the YAML in the `pod-a.yaml` file. -+ -[NOTE] -==== -The manifest below includes 2 resources: - -* Namespace with security labels -* Pod definition with appropriate network annotation -==== -+ -[source,yaml] ----- -apiVersion: v1 -kind: Namespace -metadata: - name: test-namespace - labels: - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/warn: privileged - security.openshift.io/scc.podSecurityLabelSync: "false" ---- -apiVersion: v1 -kind: Pod -metadata: - name: nginx-pod - namespace: test-namespace - annotations: - k8s.v1.cni.cncf.io/networks: '[ - { - "name": "sriov-network", - "namespace": "test-namespace", - "interface": "ext0" <1> - }, - { - "name": "vlan-100", - "namespace": "test-namespace", - "interface": "ext0.100" - } - ]' -spec: - securityContext: - runAsNonRoot: true - containers: - - name: nginx-container - image: nginxinc/nginx-unprivileged:latest - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - ports: - - containerPort: 80 - seccompProfile: - type: "RuntimeDefault" ----- -+ -<1> The name to be used as the master for the VLAN interface. - -. Apply the YAML by running the following command: -+ -[source,terminal] ----- -$ oc apply -f pod-a.yaml ----- - -. Get detailed information about the `nginx-pod` within the `test-namespace` by running the following command: -+ -[source,terminal] ----- -$ oc describe pods nginx-pod -n test-namespace ----- -+ -.Expected output -+ -[source,terminal] ----- -Name: nginx-pod -Namespace: test-namespace -Priority: 0 -Node: worker-1/10.46.186.105 -Start Time: Mon, 14 Aug 2023 16:23:13 -0400 -Labels: -Annotations: k8s.ovn.org/pod-networks: - {"default":{"ip_addresses":["10.131.0.26/23"],"mac_address":"0a:58:0a:83:00:1a","gateway_ips":["10.131.0.1"],"routes":[{"dest":"10.128.0.0... - k8s.v1.cni.cncf.io/network-status: - [{ - "name": "ovn-kubernetes", - "interface": "eth0", - "ips": [ - "10.131.0.26" - ], - "mac": "0a:58:0a:83:00:1a", - "default": true, - "dns": {} - },{ - "name": "test-namespace/sriov-network", - "interface": "ext0", - "mac": "6e:a7:5e:3f:49:1b", - "dns": {}, - "device-info": { - "type": "pci", - "version": "1.0.0", - "pci": { - "pci-address": "0000:d8:00.2" - } - } - },{ - "name": "test-namespace/vlan-100", - "interface": "ext0.100", - "ips": [ - "1.1.1.1" - ], - "mac": "6e:a7:5e:3f:49:1b", - "dns": {} - }] - k8s.v1.cni.cncf.io/networks: - [ { "name": "sriov-network", "namespace": "test-namespace", "interface": "ext0" }, { "name": "vlan-100", "namespace": "test-namespace", "i... - openshift.io/scc: privileged -Status: Running -IP: 10.131.0.26 -IPs: - IP: 10.131.0.26 ----- \ No newline at end of file +To ensure the use of a container namespace master interface, specify the `linkInContainer` and set the value to `true` in the VLAN, MACVLAN, or IPVLAN plugin configuration depending on the particular type of additional network. \ No newline at end of file diff --git a/modules/nw-multus-create-master-interface-bridge-cni.adoc b/modules/nw-multus-create-master-interface-bridge-cni.adoc new file mode 100644 index 0000000000..a804e0df5d --- /dev/null +++ b/modules/nw-multus-create-master-interface-bridge-cni.adoc @@ -0,0 +1,213 @@ +// Module included in the following assemblies: +// +// * networking/multiple_networks/configuring-additional-network.adoc + +:_mod-docs-content-type: PROCEDURE +[id="nw-multus-create-master-interface-bridge-cni_{context}"] += Creating a subinterface based on a bridge master interface in a container namespace + +Creating a subinterface can be applied to other types of interfaces. Follow this procedure to create a subinterface based on a bridge master interface in a container namespace. + +.Prerequisites +* You have installed the OpenShift CLI (`oc`). +* You are logged in to the {product-title} cluster as a user with `cluster-admin` privileges. + +.Procedure + +. Create a dedicated container namespace where you want to deploy your pod by running the following command: ++ +[source,terminal] +---- +$ oc new-project test-namespace +---- + +. Using the following YAML example, create a bridge `NetworkAttachmentDefinition` custom resource (CR) file named `bridge-nad.yaml`: ++ +[source,yaml] +---- +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: bridge-network +spec: + config: '{ + "cniVersion": "0.4.0", + "name": "bridge-network", + "type": "bridge", + "bridge": "br-001", + "isGateway": true, + "ipMasq": true, + "hairpinMode": true, + "ipam": { + "type": "host-local", + "subnet": "10.0.0.0/24", + "routes": [{"dst": "0.0.0.0/0"}] + } + }' +---- + +. Run the following command to apply the `NetworkAttachmentDefinition` CR to your {product-title} cluster: ++ +[source,terminal] +---- +$ oc apply -f bridge-nad.yaml +---- + +. Verify that the `NetworkAttachmentDefinition` CR has been created successfully by running the following command: ++ +[source,terminal] +---- +$ oc get network-attachment-definitions +---- ++ +.Example output + +[source,terminal] +---- +NAME AGE +bridge-network 15s +---- + +. Using the following YAML example, create a file named `ipvlan-additional-network-configuration.yaml` for the IPVLAN additional network configuration: ++ +[source,yaml] +---- +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: ipvlan-net + namespace: test-namespace +spec: + config: '{ + "cniVersion": "0.3.1", + "name": "ipvlan-net", + "type": "ipvlan", + "master": "ext0", <1> + "mode": "l3", + "linkInContainer": true, <2> + "ipam": {"type": "whereabouts", "ipRanges": [{"range": "10.0.0.0/24"}]} + }' +---- ++ +<1> Specifies the ethernet interface to associate with the network attachment. This is subsequently configured in the pod networks annotation. +<2> Specifies that the master interface is in the container network namespace. + +. Apply the YAML file by running the following command: ++ +[source,terminal] +---- +$ oc apply -f ipvlan-additional-network-configuration.yaml +---- + +. Verify that the `NetworkAttachmentDefinition` CR has been created successfully by running the following command: ++ +[source,terminal] +---- +$ oc get network-attachment-definitions +---- ++ +.Example output + +[source,terminal] +---- +NAME AGE +bridge-network 87s +ipvlan-net 9s +---- + +. Using the following YAML example, create a file named `pod-a.yaml` for the pod definition: ++ +[source,yaml] +---- +apiVersion: v1 +kind: Pod +metadata: + name: pod-a + namespace: test-namespace + annotations: + k8s.v1.cni.cncf.io/networks: '[ + { + "name": "bridge-network", + "interface": "ext0" <1> + }, + { + "name": "ipvlan-net", + "interface": "ext1" + } + ]' +spec: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: test-pod + image: quay.io/openshifttest/hello-sdn@sha256:c89445416459e7adea9a5a416b3365ed3d74f2491beb904d61dc8d1eb89a72a4 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ALL] +---- ++ +<1> Specifies the name to be used as the master for the IPVLAN interface. + +. Apply the YAML file by running the following command: ++ +[source,terminal] +---- +$ oc apply -f pod-a.yaml +---- + +. Verify that the pod is running by using the following command: ++ +[source,terminal] +---- +$ oc get pod -n test-namespace +---- ++ +.Example output ++ +[source,terminal] +---- +NAME READY STATUS RESTARTS AGE +pod-a 1/1 Running 0 2m36s +---- + +. Show network interface information about the `pod-a` resource within the `test-namespace` by running the following command: ++ +[source,terminal] +---- +$ oc exec -n test-namespace pod-a -- ip a +---- ++ +.Example output ++ +[source,terminal] +---- +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +3: eth0@if105: mtu 1400 qdisc noqueue state UP group default + link/ether 0a:58:0a:d9:00:5d brd ff:ff:ff:ff:ff:ff link-netnsid 0 + inet 10.217.0.93/23 brd 10.217.1.255 scope global eth0 + valid_lft forever preferred_lft forever + inet6 fe80::488b:91ff:fe84:a94b/64 scope link + valid_lft forever preferred_lft forever +4: ext0@if107: mtu 1500 qdisc noqueue state UP group default + link/ether be:da:bd:7e:f4:37 brd ff:ff:ff:ff:ff:ff link-netnsid 0 + inet 10.0.0.2/24 brd 10.0.0.255 scope global ext0 + valid_lft forever preferred_lft forever + inet6 fe80::bcda:bdff:fe7e:f437/64 scope link + valid_lft forever preferred_lft forever +5: ext1@ext0: mtu 1500 qdisc noqueue state UNKNOWN group default + link/ether be:da:bd:7e:f4:37 brd ff:ff:ff:ff:ff:ff + inet 10.0.0.1/24 brd 10.0.0.255 scope global ext1 + valid_lft forever preferred_lft forever + inet6 fe80::beda:bd00:17e:f437/64 scope link + valid_lft forever preferred_lft forever +---- ++ +This output shows that the network interface `ext1` is associated with the physical interface `ext0`. \ No newline at end of file diff --git a/modules/nw-multus-create-multiple-vlans-sriov.adoc b/modules/nw-multus-create-multiple-vlans-sriov.adoc new file mode 100644 index 0000000000..85825b2cb7 --- /dev/null +++ b/modules/nw-multus-create-multiple-vlans-sriov.adoc @@ -0,0 +1,263 @@ +// Module included in the following assemblies: +// +// * networking/multiple_networks/configuring-additional-network.adoc + +:_mod-docs-content-type: PROCEDURE +[id="nw-multus-create-multiple-vlans-sriov_{context}"] += Creating multiple VLANs on SR-IOV VFs + +An example use case for utilizing this feature is to create multiple VLANs based on SR-IOV VFs. To do so, begin by creating an SR-IOV network and then define the network attachments for the VLAN interfaces. + +The following example shows how to configure the setup illustrated in this diagram. + +.Creating VLANs +image::345_OpenShift_config_additional_network_0823.png[Creating VLANs] + +.Prerequisites +* You installed the OpenShift CLI (`oc`). +* You have access to the cluster as a user with the `cluster-admin` role. +* You have installed the SR-IOV Network Operator. + +.Procedure + +. Create a dedicated container namespace where you want to deploy your pod by using the following command: ++ +[source,terminal] +---- +$ oc new-project test-namespace +---- +. Create an SR-IOV node policy: + +.. Create an `SriovNetworkNodePolicy` object, and then save the YAML in the `sriov-node-network-policy.yaml` file: ++ +[source,yaml] +---- +apiVersion: sriovnetwork.openshift.io/v1 +kind: SriovNetworkNodePolicy +metadata: + name: sriovnic + namespace: openshift-sriov-network-operator +spec: + deviceType: netdevice + isRdma: false + needVhostNet: true + nicSelector: + vendor: "15b3" <1> + deviceID: "101b" <2> + rootDevices: ["00:05.0"] + numVfs: 10 + priority: 99 + resourceName: sriovnic + nodeSelector: + feature.node.kubernetes.io/network-sriov.capable: "true" +---- ++ +[NOTE] +==== +The SR-IOV network node policy configuration example, with the setting `deviceType: netdevice`, is tailored specifically for Mellanox Network Interface Cards (NICs). +==== ++ +<1> The vendor hexadecimal code of the SR-IOV network device. The value `15b3` is associated with a Mellanox NIC. +<2> The device hexadecimal code of the SR-IOV network device. + +.. Apply the YAML by running the following command: ++ +[source,terminal] +---- +$ oc apply -f sriov-node-network-policy.yaml +---- ++ +[NOTE] +==== +Applying this might take some time due to the node requiring a reboot. +==== + +. Create an SR-IOV network: + +.. Create the `SriovNetwork` custom resource (CR) for the additional SR-IOV network attachment as in the following example CR. Save the YAML as the file `sriov-network-attachment.yaml`: ++ +[source,yaml] +---- +apiVersion: sriovnetwork.openshift.io/v1 +kind: SriovNetwork +metadata: + name: sriov-network + namespace: openshift-sriov-network-operator +spec: + networkNamespace: test-namespace + resourceName: sriovnic + spoofChk: "off" + trust: "on" +---- + +.. Apply the YAML by running the following command: ++ +[source,terminal] +---- +$ oc apply -f sriov-network-attachment.yaml +---- + +. Create the VLAN additional network: + +.. Using the following YAML example, create a file named `ipvlan100-additional-network-configuration.yaml`: ++ +[source,yaml] +---- +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: vlan-100 + namespace: test-namespace +spec: + config: | + { + "cniVersion": "0.4.0", + "name": "vlan-100", + "plugins": [ + { + "type": "vlan", + "master": "ext0", <1> + "mtu": 1500, + "vlanId": 100, + "linkInContainer": true, <2> + "ipam": {"type": "whereabouts", "ipRanges": [{"range": "1.1.1.0/24"}]} + } + ] + } +---- ++ +<1> The VLAN configuration needs to specify the master name. This can be configured in the pod networks annotation. +<2> The `linkInContainer` parameter must be specified. + +.. Apply the YAML file by running the following command: ++ +[source,terminal] +---- +$ oc apply -f vlan100-additional-network-configuration.yaml +---- + +. Create a pod definition by using the earlier specified networks: + +.. Using the following YAML example, create a file named `pod-a.yaml` file: ++ +[NOTE] +==== +The manifest below includes 2 resources: + +* Namespace with security labels +* Pod definition with appropriate network annotation +==== ++ +[source,yaml] +---- +apiVersion: v1 +kind: Namespace +metadata: + name: test-namespace + labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/warn: privileged + security.openshift.io/scc.podSecurityLabelSync: "false" +--- +apiVersion: v1 +kind: Pod +metadata: + name: nginx-pod + namespace: test-namespace + annotations: + k8s.v1.cni.cncf.io/networks: '[ + { + "name": "sriov-network", + "namespace": "test-namespace", + "interface": "ext0" <1> + }, + { + "name": "vlan-100", + "namespace": "test-namespace", + "interface": "ext0.100" + } + ]' +spec: + securityContext: + runAsNonRoot: true + containers: + - name: nginx-container + image: nginxinc/nginx-unprivileged:latest + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + ports: + - containerPort: 80 + seccompProfile: + type: "RuntimeDefault" +---- ++ +<1> The name to be used as the master for the VLAN interface. + +.. Apply the YAML file by running the following command: ++ +[source,terminal] +---- +$ oc apply -f pod-a.yaml +---- + +. Get detailed information about the `nginx-pod` within the `test-namespace` by running the following command: ++ +[source,terminal] +---- +$ oc describe pods nginx-pod -n test-namespace +---- ++ +.Example output ++ +[source,terminal] +---- +Name: nginx-pod +Namespace: test-namespace +Priority: 0 +Node: worker-1/10.46.186.105 +Start Time: Mon, 14 Aug 2023 16:23:13 -0400 +Labels: +Annotations: k8s.ovn.org/pod-networks: + {"default":{"ip_addresses":["10.131.0.26/23"],"mac_address":"0a:58:0a:83:00:1a","gateway_ips":["10.131.0.1"],"routes":[{"dest":"10.128.0.0... + k8s.v1.cni.cncf.io/network-status: + [{ + "name": "ovn-kubernetes", + "interface": "eth0", + "ips": [ + "10.131.0.26" + ], + "mac": "0a:58:0a:83:00:1a", + "default": true, + "dns": {} + },{ + "name": "test-namespace/sriov-network", + "interface": "ext0", + "mac": "6e:a7:5e:3f:49:1b", + "dns": {}, + "device-info": { + "type": "pci", + "version": "1.0.0", + "pci": { + "pci-address": "0000:d8:00.2" + } + } + },{ + "name": "test-namespace/vlan-100", + "interface": "ext0.100", + "ips": [ + "1.1.1.1" + ], + "mac": "6e:a7:5e:3f:49:1b", + "dns": {} + }] + k8s.v1.cni.cncf.io/networks: + [ { "name": "sriov-network", "namespace": "test-namespace", "interface": "ext0" }, { "name": "vlan-100", "namespace": "test-namespace", "i... + openshift.io/scc: privileged +Status: Running +IP: 10.131.0.26 +IPs: + IP: 10.131.0.26 +---- diff --git a/networking/multiple_networks/configuring-additional-network.adoc b/networking/multiple_networks/configuring-additional-network.adoc index 487888a669..a786deda0f 100644 --- a/networking/multiple_networks/configuring-additional-network.adoc +++ b/networking/multiple_networks/configuring-additional-network.adoc @@ -179,3 +179,7 @@ include::modules/nw-multus-create-network.adoc[leveloffset=+1] include::modules/nw-multus-create-network-apply.adoc[leveloffset=+1] include::modules/nw-about-configuring-master-interface-container.adoc[leveloffset=+1] + +include::modules/nw-multus-create-multiple-vlans-sriov.adoc[leveloffset=+2] + +include::modules/nw-multus-create-master-interface-bridge-cni.adoc[leveloffset=+2]