mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
119 lines
8.3 KiB
Plaintext
119 lines
8.3 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * microshift_networking/microshift-understanding networking.adoc
|
|
|
|
:_content-type: CONCEPT
|
|
[id="microshift-cni_{context}"]
|
|
= About the OVN-Kubernetes network plugin
|
|
|
|
OVN-Kubernetes is the default networking solution for {product-title} deployments. OVN-Kubernetes is a virtualized network for pods and services that is based on Open Virtual Network (OVN). The OVN-Kubernetes Container Network Interface (CNI) plugin is the network plugin for the cluster. A cluster that uses the OVN-Kubernetes network plugin also runs Open vSwitch (OVS) on the node. OVN configures OVS on the node to implement the declared network configuration.
|
|
|
|
[id="microshift-network-topology_{context}"]
|
|
== Network topology
|
|
OVN-Kubernetes provides an overlay-based networking implementation. This overlay includes an OVS-based implementation of Service and NetworkPolicy. The overlay network uses the Geneve (Generic Network Virtualization Encapsulation) tunnel protocol. The pod maximum transmission unit (MTU) for the Geneve tunnel is set to a smaller value than the MTU of the physical interface on the host. This smaller MTU makes room for the required information that is added to the tunnel header before it is transmitted.
|
|
|
|
OVS runs as a systemd service on the {product-title} node. The OVS RPM package is installed as a dependency to the `microshift-networking` RPM package. OVS is started immediately when the `microshift-networking` RPM is installed.
|
|
|
|
.{product-title} network topology
|
|
image:317_RHbM_OVN_topology_0323.png[title="{product-title} uses an overlay-based networking implementation, details follow."]
|
|
|
|
[id="microshift-description-ovn-logical-components_{context}"]
|
|
=== Description of the OVN logical components of the virtualized network
|
|
OVN node switch::
|
|
A virtual switch named `<node-name>`. The OVN node switch is named according to the hostname of the node.
|
|
** In this example, the `node-name` is `microshift-dev`.
|
|
|
|
OVN cluster router::
|
|
A virtual router named `ovn_cluster_router`, also known as the distributed router.
|
|
** In this example, the cluster network is `10.42.0.0/16`.
|
|
|
|
OVN join switch::
|
|
A virtual switch named `join`.
|
|
|
|
OVN gateway router::
|
|
A virtual router named `GR_<node-name>`, also known as the external gateway router.
|
|
|
|
OVN external switch::
|
|
A virtual switch named `ext_<node-name>.`
|
|
|
|
[id="microshift-description-connections-network-topology_{context}"]
|
|
=== Description of the connections in the network topology figure
|
|
* The north-south traffic between the network service device `enp1s0` and the OVN external switch `ext_microshift-dev`, is provided through the OVS patch port by the gateway bridge `br-ex`.
|
|
* The OVN gateway router `GR_microshift-dev` is connected to the external network switch `ext_microshift-dev` through the logical router port 4. Port 4 is attached with the node IP address 192.168.122.14.
|
|
* The join switch `join` connects the OVN gateway router `GR_microshift-dev` to the OVN cluster router `ovn_cluster_router`. The IP address range is 100.62.0.0/16.
|
|
** The OVN gateway router `GR_microshift-dev` connects to the OVN join switch `join` through the logical router port 3. Port 3 attaches with the internal IP address 100.64.0.2.
|
|
** The OVN cluster router `ovn_cluster_router` connects to the join switch `join` through the logical router port 2. Port 2 attaches with the internal IP address 100.64.0.1.
|
|
* The OVN cluster router `ovn_cluster_router` connects to the node switch `microshift-dev` through the logical router port 1. Port 1 is attached with the OVN cluster network IP address 10.42.0.1.
|
|
* The east-west traffic between the pods and the network service is provided by the OVN cluster router `ovn_cluster_router` and the node switch `microshift-dev`. The IP address range is 10.42.0.0/24.
|
|
* The east-west traffic between pods is provided by the node switch `microshift-dev` without network address translation (NAT).
|
|
* The north-south traffic between the pods and the external network is provided by the OVN cluster router `ovn_cluster_router` and the host network. This router is connected through the `ovn-kubernetes` management port `ovn-k8s-mp0`, with the IP address 10.42.0.2.
|
|
* All the pods are connected to the OVN node switch through their interfaces.
|
|
** In this example, Pod 1 and Pod 2 are connected to the node switch through `Interface 1` and `Interface 2`.
|
|
|
|
[id="microshift-ip-forward_{context}"]
|
|
== IP forward
|
|
The host network `sysctl net.ipv4.ip_forward` kernel parameter is automatically enabled by the `ovnkube-master` container when started. This is required to forward incoming traffic to the CNI. For example, accessing the NodePort service from outside of a cluster fails if `ip_forward` is disabled.
|
|
|
|
[id="microshift-network-performance_{context}"]
|
|
== Network performance optimizations
|
|
By default, three performance optimizations are applied to OVS services to minimize resource consumption:
|
|
|
|
* CPU affinity to `ovs-vswitchd.service` and `ovsdb-server.service`
|
|
* `no-mlockall` to `openvswitch.service`
|
|
* Limit handler and `revalidator` threads to `ovs-vswitchd.service`
|
|
|
|
[id="microshift-network-features_{context}"]
|
|
== Network features
|
|
Networking features available with {product-title} {product-version} include:
|
|
|
|
* Kubernetes network policy
|
|
* Dynamic node IP
|
|
* Cluster network on specified host interface
|
|
|
|
Networking features not available with {product-title} {product-version}:
|
|
|
|
* Egress IP/firewall/qos: disabled
|
|
* Hybrid networking: not supported
|
|
* IPsec: not supported
|
|
* Hardware offload: not supported
|
|
|
|
//Q: are there immutable network settings we should tell users about?
|
|
[id="microshift-network-comps-svcs_{context}"]
|
|
== {product-title} networking components and services
|
|
This brief overview describes networking components and their operation in {product-title}. The `microshift-networking` RPM is a package that automatically pulls in any networking-related dependencies and systemd services to initialize networking, for example, the `microshift-ovs-init` systemd service.
|
|
|
|
NetworkManager::
|
|
NetworkManager is required to set up the initial gateway bridge on the {product-title} node. The NetworkManager and `NetworkManager-ovs` RPM packages are installed as dependencies to the `microshift-networking` RPM package, which contains the necessary configuration files. NetworkManager in {product-title} uses the `keyfile` plugin and is restarted after installation of the `microshift-networking` RPM package.
|
|
|
|
microshift-ovs-init::
|
|
The `microshift-ovs-init.service` is installed by the `microshift-networking` RPM package as a dependent systemd service to microshift.service. It is responsible for setting up the OVS gateway bridge.
|
|
|
|
OVN containers::
|
|
Two OVN-Kubernetes daemon sets are rendered and applied by {product-title}.
|
|
|
|
* *ovnkube-master*
|
|
Includes the `northd`, `nbdb`, `sbdb` and `ovnkube-master` containers.
|
|
|
|
* *ovnkube-node*
|
|
The ovnkube-node includes the OVN-Controller container.
|
|
+
|
|
After {product-title} boots, the OVN-Kubernetes daemon sets are deployed in the `openshift-ovn-kubernetes` namespace.
|
|
|
|
Packaging::
|
|
OVN-Kubernetes manifests and startup logic are built into {product-title}. The systemd services and configurations included in `microshift-networking` RPM are:
|
|
|
|
* `/etc/NetworkManager/conf.d/microshift-nm.conf` for NetworkManager.service
|
|
* `/etc/systemd/system/ovs-vswitchd.service.d/microshift-cpuaffinity.conf` for ovs-vswitchd.service
|
|
* `/etc/systemd/system/ovsdb-server.service.d/microshift-cpuaffinity.conf`
|
|
* `/usr/bin/configure-ovs-microshift.sh` for microshift-ovs-init.service
|
|
* `/usr/bin/configure-ovs.sh` for microshift-ovs-init.service
|
|
* `/etc/crio/crio.conf.d/microshift-ovn.conf` for CRI-O service
|
|
|
|
[id="microshift-bridge-mapping_{context}"]
|
|
== Bridge mappings
|
|
Bridge mappings allow provider network traffic to reach the physical network. Traffic leaves the provider network and arrives at the `br-int` bridge. A patch port between `br-int` and `br-ex` then allows the traffic to traverse to and from the provider network and the edge network. Kubernetes pods are connected to the `br-int` bridge through virtual ethernet pair: one end of the virtual ethernet pair is attached to the pod namespace, and the other end is attached to the `br-int` bridge.
|
|
|
|
[id="microshift-primary-gateway-interface_{context}"]
|
|
=== Primary gateway interface
|
|
You can specify the desired host interface name in the `ovn.yaml` config file as `gatewayInterface`. The specified interface is added in OVS bridge br-ex which acts as gateway bridge for the CNI network.
|