|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * networking/multiple_networks/configuring-additional-network.adoc |
| 4 | + |
| 5 | +:_content-type: CONCEPT |
| 6 | + |
| 7 | +[id="nw-about-configuring-master-interface-container_{context}"] |
| 8 | += About configuring the master interface in the container network namespace |
| 9 | + |
| 10 | +In {product-title} 4.14 and later, the ability to allow users to create a MAC-VLAN, IP-VLAN, and VLAN subinterface based on a master interface in a container namespace is now generally available. |
| 11 | + |
| 12 | +This feature allows you to create the master interfaces as part of the pod network configuration in a separate network attachment definition. You can then base the VLAN, MACVLAN, or IPVLAN on this interface without requiring the knowledge of the network configuration of the node. |
| 13 | + |
| 14 | +To ensure the use of a container namespace master interface specify the `linkInContainer` and set the value to `true` in the VLAN, MACVLAN, or IPVLAN plugin configuration depending on the particular type of additional network. |
| 15 | + |
| 16 | +An example use case for utilizing this feature is to create multiple VLANs based on SR-IOV VFs. To do so, begin by creating an SR-IOV network and then define the network attachments for the VLAN interfaces. |
| 17 | + |
| 18 | +The following example shows how to configure the setup illustrated in this diagram. |
| 19 | + |
| 20 | +.Creating VLANs |
| 21 | +image::345_OpenShift_config_additional_network_0823.png[Creating VLANs] |
| 22 | + |
| 23 | +.Prerequisites |
| 24 | +* You installed the OpenShift CLI (`oc`). |
| 25 | +* You have access to the cluster as a user with the `cluster-admin` role. |
| 26 | +* You have installed the SR-IOV Network Operator. |
| 27 | + |
| 28 | +.Procedure |
| 29 | + |
| 30 | +. Create a dedicated container namespace where you want to deploy your pod by using the following command: |
| 31 | ++ |
| 32 | +[source,terminal] |
| 33 | +---- |
| 34 | +$ oc new-project test-namespace |
| 35 | +---- |
| 36 | +. Create an SR-IOV node policy: |
| 37 | + |
| 38 | +.. Create an `SriovNetworkNodePolicy` object, and then save the YAML in the `sriov-node-network-policy.yaml` file: |
| 39 | ++ |
| 40 | +[source,yaml] |
| 41 | +---- |
| 42 | +apiVersion: sriovnetwork.openshift.io/v1 |
| 43 | +kind: SriovNetworkNodePolicy |
| 44 | +metadata: |
| 45 | + name: sriovnic |
| 46 | + namespace: openshift-sriov-network-operator |
| 47 | +spec: |
| 48 | + deviceType: netdevice |
| 49 | + isRdma: false |
| 50 | + needVhostNet: true |
| 51 | + nicSelector: |
| 52 | + vendor: "15b3" <1> |
| 53 | + deviceID: "101b" <2> |
| 54 | + rootDevices: ["00:05.0"] |
| 55 | + numVfs: 10 |
| 56 | + priority: 99 |
| 57 | + resourceName: sriovnic |
| 58 | + nodeSelector: |
| 59 | + feature.node.kubernetes.io/network-sriov.capable: "true" |
| 60 | +---- |
| 61 | ++ |
| 62 | +[NOTE] |
| 63 | +==== |
| 64 | +The SR-IOV network node policy configuration example, with the setting `deviceType: netdevice`, is tailored specifically for Mellanox Network Interface Cards (NICs). |
| 65 | +==== |
| 66 | ++ |
| 67 | +<1> The vendor hexadecimal code of the SR-IOV network device. The value `15b3` is associated with a Mellanox NIC. |
| 68 | +<2> The device hexadecimal code of the SR-IOV network device. |
| 69 | + |
| 70 | +.. Apply the YAML by running the following command: |
| 71 | ++ |
| 72 | +[source,terminal] |
| 73 | +---- |
| 74 | +$ oc apply -f sriov-node-network-policy.yaml |
| 75 | +---- |
| 76 | ++ |
| 77 | +[NOTE] |
| 78 | +==== |
| 79 | +Applying this might take some time due to the node requiring a reboot. |
| 80 | +==== |
| 81 | + |
| 82 | +. Create an SR-IOV network: |
| 83 | + |
| 84 | +.. Create the `SriovNetwork` custom resource (CR) for the additional SR-IOV network attachment as in the following example CR. Save the YAML as the file `sriov-network-attachment.yaml`: |
| 85 | ++ |
| 86 | +[source,yaml] |
| 87 | +---- |
| 88 | +apiVersion: sriovnetwork.openshift.io/v1 |
| 89 | +kind: SriovNetwork |
| 90 | +metadata: |
| 91 | + name: sriov-network |
| 92 | + namespace: openshift-sriov-network-operator |
| 93 | +spec: |
| 94 | + networkNamespace: test-namespace |
| 95 | + resourceName: sriovnic |
| 96 | + spoofChk: "off" |
| 97 | + trust: "on" |
| 98 | +---- |
| 99 | + |
| 100 | +.. Apply the YAML by running the following command: |
| 101 | ++ |
| 102 | +[source,terminal] |
| 103 | +---- |
| 104 | +$ oc apply -f sriov-network-attachment.yaml |
| 105 | +---- |
| 106 | + |
| 107 | +. Create a YAML file for the VLAN additional network configuration and then save the YAML in the `vlan100-additional-network-configuration.yaml` file: |
| 108 | ++ |
| 109 | +[source,yaml] |
| 110 | +---- |
| 111 | +apiVersion: k8s.cni.cncf.io/v1 |
| 112 | +kind: NetworkAttachmentDefinition |
| 113 | +metadata: |
| 114 | + name: vlan-100 |
| 115 | + namespace: test-namespace |
| 116 | +spec: |
| 117 | + config: | |
| 118 | + { |
| 119 | + "cniVersion": "0.4.0", |
| 120 | + "name": "vlan-100", |
| 121 | + "plugins": [ |
| 122 | + { |
| 123 | + "type": "vlan", |
| 124 | + "master": "ext0", <1> |
| 125 | + "mtu": 1500, |
| 126 | + "vlanId": 100, |
| 127 | + "linkInContainer": true, <2> |
| 128 | + "ipam": {"type": "whereabouts", "ipRanges": [{"range": "1.1.1.0/24"}]} |
| 129 | + } |
| 130 | + ] |
| 131 | + } |
| 132 | +---- |
| 133 | ++ |
| 134 | +<1> The VLAN configuration needs to specify the master name. This can be configured in the pod networks annotation. |
| 135 | +<2> The `linkInContainer` parameter must be specified. |
| 136 | + |
| 137 | +. Apply the YAML by running the following command: |
| 138 | ++ |
| 139 | +[source,terminal] |
| 140 | +---- |
| 141 | +$ oc apply -f vlan100-additional-network-configuration.yaml |
| 142 | +---- |
| 143 | + |
| 144 | +. Create a pod definition by using the earlier specified networks and then save the YAML in the `pod-a.yaml` file. |
| 145 | ++ |
| 146 | +[NOTE] |
| 147 | +==== |
| 148 | +The manifest below includes 2 resources: |
| 149 | +
|
| 150 | +* Namespace with security labels |
| 151 | +* Pod definition with appropriate network annotation |
| 152 | +==== |
| 153 | ++ |
| 154 | +[source,yaml] |
| 155 | +---- |
| 156 | +apiVersion: v1 |
| 157 | +kind: Namespace |
| 158 | +metadata: |
| 159 | + name: test-namespace |
| 160 | + labels: |
| 161 | + pod-security.kubernetes.io/enforce: privileged |
| 162 | + pod-security.kubernetes.io/audit: privileged |
| 163 | + pod-security.kubernetes.io/warn: privileged |
| 164 | + security.openshift.io/scc.podSecurityLabelSync: "false" |
| 165 | +--- |
| 166 | +apiVersion: v1 |
| 167 | +kind: Pod |
| 168 | +metadata: |
| 169 | + name: nginx-pod |
| 170 | + namespace: test-namespace |
| 171 | + annotations: |
| 172 | + k8s.v1.cni.cncf.io/networks: '[ |
| 173 | + { |
| 174 | + "name": "sriov-network", |
| 175 | + "namespace": "test-namespace", |
| 176 | + "interface": "ext0" <1> |
| 177 | + }, |
| 178 | + { |
| 179 | + "name": "vlan-100", |
| 180 | + "namespace": "test-namespace", |
| 181 | + "interface": "ext0.100" |
| 182 | + } |
| 183 | + ]' |
| 184 | +spec: |
| 185 | + securityContext: |
| 186 | + runAsNonRoot: true |
| 187 | + containers: |
| 188 | + - name: nginx-container |
| 189 | + image: nginxinc/nginx-unprivileged:latest |
| 190 | + securityContext: |
| 191 | + allowPrivilegeEscalation: false |
| 192 | + capabilities: |
| 193 | + drop: ["ALL"] |
| 194 | + ports: |
| 195 | + - containerPort: 80 |
| 196 | + seccompProfile: |
| 197 | + type: "RuntimeDefault" |
| 198 | +---- |
| 199 | ++ |
| 200 | +<1> The name to be used as the master for the VLAN interface. |
| 201 | + |
| 202 | +. Apply the YAML by running the following command: |
| 203 | ++ |
| 204 | +[source,terminal] |
| 205 | +---- |
| 206 | +$ oc apply -f pod-a.yaml |
| 207 | +---- |
| 208 | + |
| 209 | +. Get detailed information about the `nginx-pod` within the `test-namespace` by running the following command: |
| 210 | ++ |
| 211 | +[source,terminal] |
| 212 | +---- |
| 213 | +$ oc describe pods nginx-pod -n test-namespace |
| 214 | +---- |
| 215 | ++ |
| 216 | +.Expected output |
| 217 | ++ |
| 218 | +[source,terminal] |
| 219 | +---- |
| 220 | +Name: nginx-pod |
| 221 | +Namespace: test-namespace |
| 222 | +Priority: 0 |
| 223 | +Node: worker-1/10.46.186.105 |
| 224 | +Start Time: Mon, 14 Aug 2023 16:23:13 -0400 |
| 225 | +Labels: <none> |
| 226 | +Annotations: k8s.ovn.org/pod-networks: |
| 227 | + {"default":{"ip_addresses":["10.131.0.26/23"],"mac_address":"0a:58:0a:83:00:1a","gateway_ips":["10.131.0.1"],"routes":[{"dest":"10.128.0.0... |
| 228 | + k8s.v1.cni.cncf.io/network-status: |
| 229 | + [{ |
| 230 | + "name": "ovn-kubernetes", |
| 231 | + "interface": "eth0", |
| 232 | + "ips": [ |
| 233 | + "10.131.0.26" |
| 234 | + ], |
| 235 | + "mac": "0a:58:0a:83:00:1a", |
| 236 | + "default": true, |
| 237 | + "dns": {} |
| 238 | + },{ |
| 239 | + "name": "test-namespace/sriov-network", |
| 240 | + "interface": "ext0", |
| 241 | + "mac": "6e:a7:5e:3f:49:1b", |
| 242 | + "dns": {}, |
| 243 | + "device-info": { |
| 244 | + "type": "pci", |
| 245 | + "version": "1.0.0", |
| 246 | + "pci": { |
| 247 | + "pci-address": "0000:d8:00.2" |
| 248 | + } |
| 249 | + } |
| 250 | + },{ |
| 251 | + "name": "test-namespace/vlan-100", |
| 252 | + "interface": "ext0.100", |
| 253 | + "ips": [ |
| 254 | + "1.1.1.1" |
| 255 | + ], |
| 256 | + "mac": "6e:a7:5e:3f:49:1b", |
| 257 | + "dns": {} |
| 258 | + }] |
| 259 | + k8s.v1.cni.cncf.io/networks: |
| 260 | + [ { "name": "sriov-network", "namespace": "test-namespace", "interface": "ext0" }, { "name": "vlan-100", "namespace": "test-namespace", "i... |
| 261 | + openshift.io/scc: privileged |
| 262 | +Status: Running |
| 263 | +IP: 10.131.0.26 |
| 264 | +IPs: |
| 265 | + IP: 10.131.0.26 |
| 266 | +---- |
0 commit comments