OpenShift Network Plugins: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 32: Line 32:
The Virtual Network ID (VNID) identifies traffic as being initiated by pods associated with a specific project. Pods from different projects cannot send or receive packets to/from pods and services of a different project, except for those that have VNID 0. VNID 0 allows the pods of the project to communicate with all other pods, and all other pods can communicate with them.  
The Virtual Network ID (VNID) identifies traffic as being initiated by pods associated with a specific project. Pods from different projects cannot send or receive packets to/from pods and services of a different project, except for those that have VNID 0. VNID 0 allows the pods of the project to communicate with all other pods, and all other pods can communicate with them.  


The "[[OpenShift_Concepts#Default_Project|default]]" project has VNID 0.
The "[[OpenShift_Concepts#Default_Project|default]]" project has VNID 0. This allows the [[OpenShift Concepts#Router|router service]] to route packets between projects.


===Configuration===
===Configuration===

Revision as of 19:26, 17 October 2017

External

Internal

Overview

TODO: unify with the upper layer OpenShift_Concepts#SDN.2C_Overlay_Network

Pods get IP addresses from the cluster network, and the address allocation and packet routing is provided by a software-defined network (SDN), implemented using Open vSwitch (OVS). A specific behavior is provided by the SDN plug-in chosen at installation: subnet, multitenant and networkpolicy.

SDN Plug-Ins

subnet

The "ovs-subnet" plug-in provides a "flat" network: every pod in the cluster can communicate with every other pod and service, regardless of the project (namespace).

Ansible configuration file:

os_sdn_network_plugin_name='redhat/openshift-ovs-subnet'

multitenant

The "ovs-multitenant" is a plug-in that provides project-level isolation for pods and services. Each project gets a unique Virtual Network ID (VNID)

Virtual Network ID (VNID)

The Virtual Network ID (VNID) identifies traffic as being initiated by pods associated with a specific project. Pods from different projects cannot send or receive packets to/from pods and services of a different project, except for those that have VNID 0. VNID 0 allows the pods of the project to communicate with all other pods, and all other pods can communicate with them.

The "default" project has VNID 0. This allows the router service to route packets between projects.

Configuration

Ansible configuration file:

os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant'

networkpolicy

Operations

Network Operations