Skip to content

NP-764: Enable no uplink OVN-K gateway bridge mode #1692

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-robot merged 2 commits into from
Jun 28, 2023
Merged

NP-764: Enable no uplink OVN-K gateway bridge mode #1692

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3507e2f
Enable no uplink OVN-K gateway bridge mode
pliurh Apr 20, 2023
e3fc6b9
Remove OVN-K config flag disableOVSInit and gatewayInterface
pliurh Jun 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions assets/components/ovn/common/clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,12 +153,18 @@ rules:
- egressfirewalls
- egressips
- egressqoses
- adminpolicybasedexternalroutes
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- k8s.ovn.org
resources:
- adminpolicybasedexternalroutes/status
verbs: [ "update"]
- apiGroups: ["cloud.network.openshift.io"]
resources:
- cloudprivateipconfigs
Expand Down
1 change: 1 addition & 0 deletions assets/components/ovn/single-node/master/daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -355,6 +355,7 @@ spec:
exec /usr/bin/ovnkube \
--init-master "${K8S_NODE}" \
--init-node "${K8S_NODE}" \
--allow-no-uplink \
--config-file=/run/ovnkube-config/ovnkube.conf \
--loglevel "${OVN_KUBE_LOG_LEVEL}" \
${gateway_mode_flags} \
Expand Down
50 changes: 1 addition & 49 deletions docs/network/default_cni_plugin.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,59 +65,17 @@ The following configs are supported in ovn-kubernetes config file:

|Field |Required |Type |Default |Description |Example|
|:--------------------------------|:--------|:-------|:-------|:----------------------------------------------------------------------------|:------|
|ovsInit.disableOVSInit |N |bool |false |Skip configuring OVS bridge "br-ex" in microshift-ovs-init.service |true |
|ovsInit.gatewayInterface |N |string |"" |Interface to be added in OVS gateway bridge "br-ex" |eth0 |
|mtu |N |int |*auto* |MTU value to be used for the Pods, must be less than or equal to the MTU of default route interface|1500|

> When `disableOVSInit` is true, OVS bridge "br-ex" needs to be configured manually. This OVS bridge is required by ovn-kubernetes CNI. See section [OVS bridge](#ovs-bridge) for guidance on configuring the OVS gateway bridge manually.
> When `gatewayInterface` is not provided, it defaults to the default route interface.
> When `mtu` is not provided, it defaults to the MTU of `gatewayInterface` interface. In the case that `gatewayInterface` is not specified, it is set to the default route MTU.
> When `mtu` is not provided, it is set to the default route MTU.

Below is an example of `ovn.yaml`:

```yaml
ovsInit:
disableOVSInit: true
gatewayInterface: eth0
mtu: 1500
```
**NOTE:* The change of `mtu` configuration in `ovn.yaml` requires node reboot to take effect. <br>

### Configuring Host

#### OVS bridge

When `disableOVSInit` is set to true in ovn-kubernetes CNI config file, OVS bridge "br-ex" needs to be manually configured:

```bash
nmcli con add type ovs-bridge con-name br-ex conn.interface br-ex 802-3-ethernet.mtu 1500 connection.autoconnect no
nmcli con add type ovs-port conn.interface enp1s0 master br-ex con-name ovs-port-phys0 connection.autoconnect no
nmcli con add type ovs-port conn.interface br-ex master br-ex con-name ovs-port-br-ex connection.autoconnect no

nmcli con add type 802-3-ethernet conn.interface enp1s0 master ovs-port-phys0 con-name ovs-if-phys0 \
connection.autoconnect-priority 100 802-3-ethernet.mtu 1500 connection.autoconnect no

ovs_port_conn=$(nmcli -g connection.uuid conn show ovs-port-br-ex)
iface_mac=$(<"/sys/class/net/enp1s0/address")

nmcli con add type ovs-interface slave-type ovs-port conn.interface br-ex master "$ovs_port_conn" con-name \
ovs-if-br-ex 802-3-ethernet.mtu 1500 802-3-ethernet.cloned-mac-address ${iface_mac} \
ipv4.route-metric 48 ipv6.route-metric 48 connection.autoconnect no

nmcli con up ovs-if-phys0
nmcli con up ovs-if-br-ex
nmcli con mod ovs-if-phys0 connection.autoconnect yes
nmcli con mod ovs-if-br-ex connection.autoconnect yes
```

Replace `enp1s0` with the network interface name where node IP address is assigned to. <br>
Replace `1500` with the actual MTU on the network interface. <br>

**NOTE:* Copy the above NetworkManager command in a script and execute them at once. <br>
**NOTE:* Execution of the above commands will cause transient network disconnection from the node IP. <br>

[comment]: # (TODO: replace OVS commands with nmcli which can be easily installed under /etc)

## Network Features

A wide range of networking features are available with MicroShift and ovn-kubernetes, including but not limited to:
Expand All @@ -139,12 +97,6 @@ See [ovn-kubernetes network policy](https://github.com/ovn-org/ovn-kubernetes/bl
MicroShift is able to detect node IP change and restarts itself to take in the new IP address.
Upon restarting, it recreates ovnkube-master daemonset with updated IP address in openshift-ovn-kubernetes namespace.

### Custom gateway interface

microshift-ovs-init.service is able to use user specified host interface for cluster network.
This is done by specifying the `gatewayInterface` in the CNI config file `/etc/microshift/ovn.yaml`.
The specified interface will be added in OVS bridge `br-ex` which acts as gateway bridge for ovn-kubernetes CNI network.

### Blocking external access to NodePort service on specific host interfaces

ovn-kubernetes doesn't restrict the host interfaces where NodePort service can be accessed from outside MicroShift node. The following `nft` instructions block NodePort service on a specific host interface. <br>
Expand Down
184 changes: 0 additions & 184 deletions etcd/vendor/github.com/openshift/microshift/pkg/config/ovn/ovn.go
View file
Open in desktop

This file was deleted.

19 changes: 6 additions & 13 deletions etcd/vendor/github.com/openshift/microshift/pkg/util/net.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion etcd/vendor/modules.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,7 +199,6 @@ github.com/openshift/build-machinery-go/scripts
# github.com/openshift/microshift v0.0.0 => ../
## explicit; go 1.20
github.com/openshift/microshift/pkg/config
github.com/openshift/microshift/pkg/config/ovn
github.com/openshift/microshift/pkg/util
github.com/openshift/microshift/pkg/util/cryptomaterial
# github.com/peterbourgon/diskv v2.0.1+incompatible
Expand Down
7 changes: 0 additions & 7 deletions packaging/microshift/ovn.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,3 @@
ovsInit:
# Skip configuring OVS bridge "br-ex" in microshift-ovs-init.service
#disableOVSInit: false

# Interface to be added in OVS gateway bridge "br-ex"
#gatewayInterface: ""

# MTU value to be used for the Pods, must be less than or equal to the MTU of
# default route interface.
#mtu: 1500
Loading