|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: PROCEDURE |
| 6 | +[id="checking-cluster-resources-after-initiating-limited-live-migration_{context}"] |
| 7 | += Checking cluster resources after initiating the limited live migration |
| 8 | + |
| 9 | +The following procedure shows you how to check for egress IP resources, egress firewall resources, multicast enabled namespaces, and network policies when your deploying is using OVN-Kubernetes. If you had these resources on OpenShift SDN, you should check them after migration to ensure that they are working properly. |
| 10 | + |
| 11 | +.Prerequisites |
| 12 | + |
| 13 | +* You have access to the cluster as a user with the `cluster-admin` role. |
| 14 | +* You have successfully migrated from OpenShift SDN to OVN-Kubernetes by using the limited live migration. |
| 15 | +
|
| 16 | +.Procedure |
| 17 | + |
| 18 | +. As an {product-title} cluster administrator, check for egress firewall resources. You can do this by using the `oc` CLI, or by using the {product-title} web console. |
| 19 | + |
| 20 | +.. To check for egress firewall resource by using the `oc` CLI tool: |
| 21 | + |
| 22 | +... To check for egress firewall resources, enter the following command: |
| 23 | ++ |
| 24 | +[source,terminal] |
| 25 | +---- |
| 26 | +$ oc get egressfirewalls.k8s.ovn.org -A |
| 27 | +---- |
| 28 | ++ |
| 29 | +.Example output |
| 30 | ++ |
| 31 | +[source,terminal] |
| 32 | +---- |
| 33 | +NAMESPACE NAME AGE |
| 34 | +<namespace> <example_egressfirewall> 5d |
| 35 | +---- |
| 36 | + |
| 37 | +... You can check the intended behavior of an egress firewall resource by using the `-o yaml` flag. For example: |
| 38 | ++ |
| 39 | +[source,terminal] |
| 40 | +---- |
| 41 | +$ oc get egressfirewall <example_egressfirewall> -n <namespace> -o yaml |
| 42 | +---- |
| 43 | ++ |
| 44 | +.Example output |
| 45 | ++ |
| 46 | +[source,terminal] |
| 47 | +---- |
| 48 | +apiVersion: k8s.ovn.org/v1 |
| 49 | +kind: EgressFirewall |
| 50 | +metadata: |
| 51 | + name: <example_egress_policy> |
| 52 | + namespace: <namespace> |
| 53 | +spec: |
| 54 | + egress: |
| 55 | + - type: Allow |
| 56 | + to: |
| 57 | + cidrSelector: 192.168.0.0/16 |
| 58 | + - type: Deny |
| 59 | + to: |
| 60 | + cidrSelector: 0.0.0.0/0 |
| 61 | +---- |
| 62 | ++ |
| 63 | +Ensure that the behavior of this resource is intended because it could have changed after migration. For more information about egress firewalls, see "Configuring an egress firewall for a project". |
| 64 | + |
| 65 | +.. To check for egress firewall resources by using the {product-title} web console: |
| 66 | + |
| 67 | +... On the {product-title} web console, click *Observe* -> *Metrics*. |
| 68 | + |
| 69 | +... In the *Expression* box, type `ovnkube_controller_num_egress_firewall_rules` and click *Run queries*. If you have egress firewall resources, they are returned in the *Expression* box. |
| 70 | + |
| 71 | +. Check your cluster for egress IP resources. You can do this by using the `oc` CLI, or by using the {product-title} web console. |
| 72 | + |
| 73 | +.. To check for egress IPs by using the `oc` CLI tool: |
| 74 | + |
| 75 | +... To list the namespace with egress IP resources, enter the following command: |
| 76 | ++ |
| 77 | +[source,terminal] |
| 78 | +---- |
| 79 | +$ oc get egressip |
| 80 | +---- |
| 81 | ++ |
| 82 | +.Example output |
| 83 | ++ |
| 84 | +[source,terminal] |
| 85 | +---- |
| 86 | +NAME EGRESSIPS ASSIGNED NODE ASSIGNED EGRESSIPS |
| 87 | +egress-sample 192.0.2.10 ip-10-0-42-79.us-east-2.compute.internal 192.0.2.10 |
| 88 | +egressip-sample-2 192.0.2.14 ip-10-0-42-79.us-east-2.compute.internal 192.0.2.14 |
| 89 | +---- |
| 90 | + |
| 91 | +... To provide detailed information about an egress IP, enter the following command: |
| 92 | ++ |
| 93 | +[source,terminal] |
| 94 | +---- |
| 95 | +$ oc get egressip <egressip_name> -o yaml |
| 96 | +---- |
| 97 | ++ |
| 98 | +.Example output |
| 99 | ++ |
| 100 | +[source,terminal] |
| 101 | +---- |
| 102 | +apiVersion: k8s.ovn.org/v1 |
| 103 | +kind: EgressIP |
| 104 | +metadata: |
| 105 | + annotations: |
| 106 | + kubectl.kubernetes.io/last-applied-configuration: | |
| 107 | + {"apiVersion":"k8s.ovn.org/v1","kind":"EgressIP","metadata":{"annotations":{},"name":"egressip-sample"},"spec":{"egressIPs":["192.0.2.12","192.0.2.13"],"namespaceSelector":{"matchLabels":{"name":"my-namespace"}}}} |
| 108 | + creationTimestamp: "2024-06-27T15:48:36Z" |
| 109 | + generation: 7 |
| 110 | + name: egressip-sample |
| 111 | + resourceVersion: "125511578" |
| 112 | + uid: b65833c8-781f-4cc9-bc96-d970259a7631 |
| 113 | +spec: |
| 114 | + egressIPs: |
| 115 | + - 192.0.2.12 |
| 116 | + - 192.0.2.13 |
| 117 | + namespaceSelector: |
| 118 | + matchLabels: |
| 119 | + name: my-namespace |
| 120 | +---- |
| 121 | ++ |
| 122 | +Repeat this for all egress IPs. Ensure that the behavior of each resource is intended because it could have changed after migration. For more information about EgressIPs, see "Configuring an EgressIP address". |
| 123 | + |
| 124 | +.. To check for egress IPs by using the {product-title} web console: |
| 125 | + |
| 126 | +... On the {product-title} web console, click *Observe* -> *Metrics*. |
| 127 | + |
| 128 | +... In the *Expression* box, type `ovnkube_clustermanager_num_egress_ips` and click *Run queries*. If you have egress firewall resources, they are returned in the *Expression* box. |
| 129 | + |
| 130 | +. Check your cluster for multicast enabled namespaces. You can only do this by using the `oc` CLI. |
| 131 | + |
| 132 | +.. To locate namespaces with multicast enabled, enter the following command: |
| 133 | ++ |
| 134 | +[source,terminal] |
| 135 | +---- |
| 136 | +$ oc get namespace -o json | jq -r '.items[] | select(.metadata.annotations."k8s.ovn.org/multicast-enabled" == "true") | .metadata.name' |
| 137 | +---- |
| 138 | ++ |
| 139 | +.Example output |
| 140 | ++ |
| 141 | +[source,terminal] |
| 142 | +---- |
| 143 | +namespace1 |
| 144 | +namespace3 |
| 145 | +---- |
| 146 | + |
| 147 | +.. To describe each multicast enabled namespace, enter the following command: |
| 148 | ++ |
| 149 | +[source,terminal] |
| 150 | +---- |
| 151 | +$ oc describe namespace <namespace> |
| 152 | +---- |
| 153 | ++ |
| 154 | +.Example output |
| 155 | ++ |
| 156 | +[source,terminal] |
| 157 | +---- |
| 158 | +Name: my-namespace |
| 159 | +Labels: kubernetes.io/metadata.name=my-namespace |
| 160 | + pod-security.kubernetes.io/audit=restricted |
| 161 | + pod-security.kubernetes.io/audit-version=v1.24 |
| 162 | + pod-security.kubernetes.io/warn=restricted |
| 163 | + pod-security.kubernetes.io/warn-version=v1.24 |
| 164 | +Annotations: k8s.ovn.org/multicast-enabled: true |
| 165 | + openshift.io/sa.scc.mcs: s0:c25,c0 |
| 166 | + openshift.io/sa.scc.supplemental-groups: 1000600000/10000 |
| 167 | + openshift.io/sa.scc.uid-range: 1000600000/10000 |
| 168 | +Status: Active |
| 169 | +---- |
| 170 | ++ |
| 171 | +Ensure that multicast functionality is correctly configured and working as expected in each namespace. For more information, see "Enabling multicast for a project". |
| 172 | + |
| 173 | +. Check your cluster's network policies. You can only do this by using the `oc` CLI. |
| 174 | + |
| 175 | +.. To obtain information about network policies within a namespace, enter the following command: |
| 176 | ++ |
| 177 | +[source,terminal] |
| 178 | +---- |
| 179 | +$ oc get networkpolicy -n <namespace> |
| 180 | +---- |
| 181 | ++ |
| 182 | +.Example output |
| 183 | ++ |
| 184 | +[source,terminal] |
| 185 | +---- |
| 186 | +NAME POD-SELECTOR AGE |
| 187 | +allow-multicast app=my-app 11m |
| 188 | +---- |
| 189 | + |
| 190 | +.. To provide detailed information about the network policy, enter the following command: |
| 191 | ++ |
| 192 | +[source,terminal] |
| 193 | +---- |
| 194 | +$ oc describe networkpolicy allow-multicast -n <namespace> |
| 195 | +---- |
| 196 | ++ |
| 197 | +.Example output |
| 198 | ++ |
| 199 | +[source,terminal] |
| 200 | +---- |
| 201 | +Name: allow-multicast |
| 202 | +Namespace: my-namespace |
| 203 | +Created on: 2024-07-24 14:55:03 -0400 EDT |
| 204 | +Labels: <none> |
| 205 | +Annotations: <none> |
| 206 | +Spec: |
| 207 | + PodSelector: app=my-app |
| 208 | + Allowing ingress traffic: |
| 209 | + To Port: <any> (traffic allowed to all ports) |
| 210 | + From: |
| 211 | + IPBlock: |
| 212 | + CIDR: 224.0.0.0/4 |
| 213 | + Except: |
| 214 | + Allowing egress traffic: |
| 215 | + To Port: <any> (traffic allowed to all ports) |
| 216 | + To: |
| 217 | + IPBlock: |
| 218 | + CIDR: 224.0.0.0/4 |
| 219 | + Except: |
| 220 | + Policy Types: Ingress, Egress |
| 221 | +---- |
| 222 | ++ |
| 223 | +Ensure that the behavior of the network policy is as intended. Optimization for network policies differ between SDN and OVN-K, so users might need to adjust their policies to achieve optimal performance for different CNIs. For more information, see "About network policy". |
0 commit comments