openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-07 09:46:53 +01:00
Code Issues Releases Activity
Files
b861fb8d1fe02da170cbb977e5f74d9d1d76384c
openshift-docs/modules/nw-operator-cr.adoc

454 lines
17 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * installing/installing_aws/installing-aws-network-customizations.adoc
// * installing/installing_azure/installing-azure-network-customizations.adoc
// * installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc
// * installing/installing_gcp/installing-gcp-network-customizations.adoc
// * installing/installing_ibm_power/installing-ibm-power.adoc
// * installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc
// * installing/installing_ibm_z/installing-ibm-z.adoc
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc
// * installing/installing_ibm_z/installing-ibm-z-kvm.adoc
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc
// * installing/installing_ibm_z/installing-ibm-z-lpar.adoc
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-lpar.adoc
// * installing/installing_vsphere/installing-vsphere-installer-provisioned-network-customizations.adoc
// * installing/installing_vsphere/installing-vsphere-network-customizations.adoc
// * networking/cluster-network-operator.adoc
// * networking/network_policy/logging-network-policy.adoc
// * post_installation_configuration/network-configuration.adoc
// * installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc
// * installing/installing_ibm_power/installing-ibm-power.adoc
// * installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc
// * installing/installing_azure_stack_hub/installing-azure-stack-hub-network-customizations.adoc
// Installation assemblies need different details than the CNO operator does
ifeval::["{context}" == "cluster-network-operator"]
:operator:
endif::[]
ifeval::["{context}" == "post-install-network-configuration"]
:post-install-network-configuration:
endif::[]
ifeval::["{context}" == "installing-ibm-cloud-network-customizations"]
:ibm-cloud:
endif::[]
:_mod-docs-content-type: CONCEPT
[id="nw-operator-cr_{context}"]
= Cluster Network Operator configuration
The configuration for the cluster network is specified as part of the Cluster Network Operator (CNO) configuration and stored in a custom resource (CR) object that is named `cluster`. The CR specifies the fields for the `Network` API in the `operator.openshift.io` API group.
The CNO configuration inherits the following fields during cluster installation from the `Network` API in the `Network.config.openshift.io` API group:
`clusterNetwork`:: IP address pools from which pod IP addresses are allocated.
`serviceNetwork`:: IP address pool for services.
//Installation no longer supports SDN, so excluding it from install docs here
`defaultNetwork.type`:: Cluster network plugin. `OVNKubernetes` is the only supported plugin during installation.
// For the post installation assembly, no further content is provided.
ifdef::post-install-network-configuration,operator[]
[NOTE]
====
After cluster installation, you can only modify the `clusterNetwork` IP address range. The default network type can only be changed from OpenShift SDN to OVN-Kubernetes through migration.
====
endif::[]
ifndef::post-install-network-configuration[]
You can specify the cluster network plugin configuration for your cluster by setting the fields for the `defaultNetwork` object in the CNO object named `cluster`.
[id="nw-operator-cr-cno-object_{context}"]
== Cluster Network Operator configuration object
The fields for the Cluster Network Operator (CNO) are described in the following table:
.Cluster Network Operator configuration object
[cols=".^2,.^2,.^6a",options="header"]
|====
|Field|Type|Description
|`metadata.name`
|`string`
|The name of the CNO object. This name is always `cluster`.
|`spec.clusterNetwork`
|`array`
|A list specifying the blocks of IP addresses from which pod IP addresses are
allocated and the subnet prefix length assigned to each individual node in the cluster. For example:
[source,yaml]
----
spec:
clusterNetwork:
- cidr: 10.128.0.0/19
hostPrefix: 23
- cidr: 10.128.32.0/19
hostPrefix: 23
----
|`spec.serviceNetwork`
|`array`
|A block of IP addresses for services. The OpenShift SDN and OVN-Kubernetes network plugins support only a single IP address block for the service network. For example:
[source,yaml]
----
spec:
serviceNetwork:
- 172.30.0.0/14
----
ifdef::operator[]
This value is ready-only and inherited from the `Network.config.openshift.io` object named `cluster` during cluster installation.
endif::operator[]
ifndef::operator[]
You can customize this field only in the `install-config.yaml` file before you create the manifests. The value is read-only in the manifest file.
endif::operator[]
|`spec.defaultNetwork`
|`object`
|Configures the network plugin for the cluster network.
|`spec.kubeProxyConfig`
|`object`
|
The fields for this object specify the kube-proxy configuration.
If you are using the OVN-Kubernetes cluster network plugin, the kube-proxy configuration has no effect.
|====
[discrete]
[id="nw-operator-cr-defaultnetwork_{context}"]
=== defaultNetwork object configuration
The values for the `defaultNetwork` object are defined in the following table:
.`defaultNetwork` object
[cols=".^3,.^2,.^5a",options="header"]
|====
|Field|Type|Description
|`type`
|`string`
|`OVNKubernetes`. The {openshift-networking} network plugin is selected during installation. This value cannot be changed after cluster installation.
[NOTE]
====
{product-title} uses the OVN-Kubernetes network plugin by default. OpenShift SDN is no longer available as an installation choice for new clusters.
====
|`ovnKubernetesConfig`
|`object`
|This object is only valid for the OVN-Kubernetes network plugin.
|====
ifdef::operator,post-installation-network-configuration[]
[discrete]
[id="nw-operator-configuration-parameters-for-openshift-sdn_{context}"]
==== Configuration for the OpenShift SDN network plugin
The following table describes the configuration fields for the OpenShift SDN network plugin:
.`openshiftSDNConfig` object
[cols=".^2,.^2,.^6a",options="header"]
|====
|Field|Type|Description
|`mode`
|`string`
|
ifndef::operator[]
Configures the network isolation mode for OpenShift SDN. The default value is `NetworkPolicy`.
The values `Multitenant` and `Subnet` are available for backwards compatibility with {product-title} 3.x but are not recommended. This value cannot be changed after cluster installation.
endif::operator[]
ifdef::operator[]
The network isolation mode for OpenShift SDN.
endif::operator[]
|`mtu`
|`integer`
|
ifndef::operator[]
The maximum transmission unit (MTU) for the VXLAN overlay network. This is detected automatically based on the MTU of the primary network interface. You do not normally need to override the detected MTU.
If the auto-detected value is not what you expect it to be, confirm that the MTU on the primary network interface on your nodes is correct. You cannot use this option to change the MTU value of the primary network interface on the nodes.
If your cluster requires different MTU values for different nodes, you must set this value to `50` less than the lowest MTU value in your cluster. For example, if some nodes in your cluster have an MTU of `9001`, and some have an MTU of `1500`, you must set this value to `1450`.
This value cannot be changed after cluster installation.
endif::operator[]
ifdef::operator[]
The maximum transmission unit (MTU) for the VXLAN overlay network. This value is normally configured automatically.
endif::operator[]
|`vxlanPort`
|`integer`
|
ifndef::operator[]
The port to use for all VXLAN packets. The default value is `4789`. This value cannot be changed after cluster installation.
If you are running in a virtualized environment with existing nodes that are part of another VXLAN network, then you might be required to change this. For example, when running an OpenShift SDN overlay on top of VMware NSX-T, you must select an alternate port for the VXLAN, because both SDNs use the same default VXLAN port number.
On Amazon Web Services (AWS), you can select an alternate port for the VXLAN between port `9000` and port `9999`.
endif::operator[]
ifdef::operator[]
The port to use for all VXLAN packets. The default value is `4789`.
endif::operator[]
|====
.Example OpenShift SDN configuration
[source,yaml]
----
defaultNetwork:
type: OpenShiftSDN
openshiftSDNConfig:
mode: NetworkPolicy
mtu: 1450
vxlanPort: 4789
----
endif::[]
[discrete]
[id="nw-operator-configuration-parameters-for-ovn-sdn_{context}"]
==== Configuration for the OVN-Kubernetes network plugin
The following table describes the configuration fields for the OVN-Kubernetes network plugin:
.`ovnKubernetesConfig` object
[cols=".^2,.^2,.^6a",options="header"]
|====
|Field|Type|Description
|`mtu`
|`integer`
|
ifndef::operator[]
The maximum transmission unit (MTU) for the Geneve (Generic Network Virtualization Encapsulation) overlay network. This is detected automatically based on the MTU of the primary network interface. You do not normally need to override the detected MTU.
If the auto-detected value is not what you expect it to be, confirm that the MTU on the primary network interface on your nodes is correct. You cannot use this option to change the MTU value of the primary network interface on the nodes.
If your cluster requires different MTU values for different nodes, you must set this value to `100` less than the lowest MTU value in your cluster. For example, if some nodes in your cluster have an MTU of `9001`, and some have an MTU of `1500`, you must set this value to `1400`.
endif::operator[]
ifdef::operator[]
The maximum transmission unit (MTU) for the Geneve (Generic Network Virtualization Encapsulation) overlay network. This value is normally configured automatically.
endif::operator[]
|`genevePort`
|`integer`
|
ifndef::operator[]
The port to use for all Geneve packets. The default value is `6081`. This value cannot be changed after cluster installation.
endif::operator[]
ifdef::operator[]
The UDP port for the Geneve overlay network.
endif::operator[]
|`ipsecConfig`
|`object`
|
ifndef::operator[]
Specify a configuration object for customizing the IPsec configuration.
endif::operator[]
ifdef::operator[]
An object describing the IPsec mode for the cluster.
endif::operator[]
|`policyAuditConfig`
|`object`
|Specify a configuration object for customizing network policy audit logging. If unset, the defaults audit log settings are used.
|`gatewayConfig`
|`object`
|Optional: Specify a configuration object for customizing how egress traffic is sent to the node gateway.
[NOTE]
====
While migrating egress traffic, you can expect some disruption to workloads and service traffic until the Cluster Network Operator (CNO) successfully rolls out the changes.
====
|`v4InternalSubnet`
|
If your existing network infrastructure overlaps with the `100.64.0.0/16` IPv4 subnet, you can specify a different IP address range for internal use by OVN-Kubernetes. You must ensure that the IP address range does not overlap with any other subnet used by your {product-title} installation. The IP address range must be larger than the maximum number of nodes that can be added to the cluster. For example, if the `clusterNetwork.cidr` value is `10.128.0.0/14` and the `clusterNetwork.hostPrefix` value is `/23`, then the maximum number of nodes is `2^(23-14)=512`.
This field cannot be changed after installation.
|The default value is `100.64.0.0/16`.
|`v6InternalSubnet`
|
If your existing network infrastructure overlaps with the `fd98::/48` IPv6 subnet, you can specify a different IP address range for internal use by OVN-Kubernetes. You must ensure that the IP address range does not overlap with any other subnet used by your {product-title} installation. The IP address range must be larger than the maximum number of nodes that can be added to the cluster.
This field cannot be changed after installation.
| The default value is `fd98::/48`.
|====
// tag::policy-audit[]
.`policyAuditConfig` object
[cols=".^2,.^2,.^6a",options="header"]
|====
|Field|Type|Description
|`rateLimit`
|integer
|The maximum number of messages to generate every second per node. The default value is `20` messages per second.
|`maxFileSize`
|integer
|The maximum size for the audit log in bytes. The default value is `50000000` or 50 MB.
|`maxLogFiles`
|integer
|The maximum number of log files that are retained.
|`destination`
|string
|
One of the following additional audit log targets:
`libc`:: The libc `syslog()` function of the journald process on the host.
`udp:<host>:<port>`:: A syslog server. Replace `<host>:<port>` with the host and port of the syslog server.
`unix:<file>`:: A Unix Domain Socket file specified by `<file>`.
`null`:: Do not send the audit logs to any additional target.
|`syslogFacility`
|string
|The syslog facility, such as `kern`, as defined by RFC5424. The default value is `local0`.
|====
// end::policy-audit[]
[id="gatewayConfig-object_{context}"]
.`gatewayConfig` object
[cols=".^2,.^2,.^6a",options="header"]
|====
|Field|Type|Description
|`routingViaHost`
|`boolean`
|Set this field to `true` to send egress traffic from pods to the host networking stack.
For highly-specialized installations and applications that rely on manually configured routes in the kernel routing table, you might want to route egress traffic to the host networking stack.
By default, egress traffic is processed in OVN to exit the cluster and is not affected by specialized routes in the kernel routing table.
The default value is `false`.
This field has an interaction with the Open vSwitch hardware offloading feature.
If you set this field to `true`, you do not receive the performance benefits of the offloading because egress traffic is processed by the host networking stack.
|`ipForwarding`
|`object`
|You can control IP forwarding for all traffic on OVN-Kubernetes managed interfaces by using the `ipForwarding` specification in the `Network` resource. Specify `Restricted` to only allow IP forwarding for Kubernetes related traffic. Specify `Global` to allow forwarding of all IP traffic. For new installations, the default is `Restricted`. For updates to {product-title} 4.14 or later, the default is `Global`.
|====
[id="nw-operator-cr-ipsec_{context}"]
.`ipsecConfig` object
[cols=".^2,.^2,.^6a",options="header"]
|====
|Field|Type|Description
|`mode`
|`string`
a|Specifies the behavior of the IPsec implementation. Must be one of the following values:
--
- `Disabled`: IPsec is not enabled on cluster nodes.
- `External`: IPsec is enabled for network traffic with external hosts.
- `Full`: IPsec is enabled for pod traffic and network traffic with external hosts.
--
|====
ifdef::operator[]
[NOTE]
====
You can only change the configuration for your cluster network plugin during cluster installation, except for the `gatewayConfig` field that can be changed at runtime as a postinstallation activity.
====
endif::operator[]
.Example OVN-Kubernetes configuration with IPSec enabled
[source,yaml]
----
defaultNetwork:
type: OVNKubernetes
ovnKubernetesConfig:
mtu: 1400
genevePort: 6081
ipsecConfig:
mode: Full
----
[IMPORTANT]
====
Using OVNKubernetes can lead to a stack exhaustion problem on {ibm-power-name}.
====
[discrete]
[id="nw-operator-cr-kubeproxyconfig_{context}"]
=== kubeProxyConfig object configuration (OpenShiftSDN container network interface only)
The values for the `kubeProxyConfig` object are defined in the following table:
.`kubeProxyConfig` object
[cols=".^3,.^2,.^5a",options="header"]
|====
|Field|Type|Description
|`iptablesSyncPeriod`
|`string`
|
The refresh period for `iptables` rules. The default value is `30s`. Valid suffixes include `s`, `m`, and `h` and are described in the link:https://golang.org/pkg/time/#ParseDuration[Go `time` package] documentation.
[NOTE]
====
Because of performance improvements introduced in {product-title} 4.3 and greater, adjusting the `iptablesSyncPeriod` parameter is no longer necessary.
====
|`proxyArguments.iptables-min-sync-period`
|`array`
|
The minimum duration before refreshing `iptables` rules. This field ensures that the refresh does not happen too frequently. Valid suffixes include `s`, `m`, and `h` and are described in the link:https://golang.org/pkg/time/#ParseDuration[Go `time` package]. The default value is:
[source,yaml]
----
kubeProxyConfig:
proxyArguments:
iptables-min-sync-period:
- 0s
----
|====
ifdef::operator[]
[id="nw-operator-example-cr_{context}"]
== Cluster Network Operator example configuration
A complete CNO configuration is specified in the following example:
.Example Cluster Network Operator object
[source,yaml]
----
apiVersion: operator.openshift.io/v1
kind: Network
metadata:
name: cluster
spec:
clusterNetwork:
- cidr: 10.128.0.0/14
hostPrefix: 23
serviceNetwork:
- 172.30.0.0/16
networkType: OVNKubernetes
clusterNetworkMTU: 8900
----
endif::operator[]
endif::post-install-network-configuration[]
ifeval::["{context}" == "cluster-network-operator"]
:!operator:
endif::[]
ifeval::["{context}" == "post-install-network-configuration"]
:!post-install-network-configuration:
endif::[]
ifeval::["{context}" == "installing-ibm-cloud-network-customizations"]
:!ibm-cloud:
endif::[]
View Git Blame Copy Permalink