Add a VLAN NAD to OpenShift for Advanced Networking

Adding a VLAN NAD to OpenShift for Advanced Networking can be a game-changer for your cluster's scalability and manageability. To start, a VLAN NAD, or Network Attachment Definition, is a way to define a network interface for your pods.

In OpenShift, VLAN NADs are used to create a network interface for pods that are part of a project. This allows you to isolate pods and their traffic from other pods in the cluster.

To add a VLAN NAD to your OpenShift cluster, you'll need to create a Network Attachment Definition (NAD) that specifies the VLAN ID and other network settings. This NAD will then be attached to your project's pods.

This setup is particularly useful for multi-tenant environments, where you want to ensure that different projects or teams have isolated networks.

To manage VLANs in OpenShift, you have two approaches to choose from. Each approach is mutually exclusive, meaning you can only use one at a time.

You can modify the Cluster Network Operator (CNO) configuration, which automatically creates and manages the NetworkAttachmentDefinition object. This ensures a DHCP is available for an additional network that uses a DHCP-assigned IP address.

Alternatively, you can apply a YAML manifest to manage the additional network directly. This approach allows for the chaining of CNI plugins.

Here are the two approaches in a nutshell:

To configure VLANs in OpenShift, you need to specify the VLAN ID in the CNI plugin configuration. The VLAN ID is set using the `vlanId` field in the JSON configuration object.

A NetworkAttachmentDefinition custom resource definition (CRD) with a vlan configuration can only be used on a single pod in a node because the CNI plugin cannot create multiple vlan subinterfaces with the same vlanId on the same master interface.

You can create multiple VLANs on SR-IOV VFs by creating an SR-IOV network and defining the network attachments for the VLAN interfaces. This involves creating a dedicated container namespace, an SR-IOV node policy, and an SR-IOV network, as well as creating a VLAN additional network and a pod definition with the specified networks.

Here is a summary of the required fields in the CNI plugin configuration for a VLAN:

Configuring VLANs is all about understanding the different types of networks that can be created.

There are specific configuration fields for additional networks that need to be considered.

VLANs can be used to create different types of networks, including trunk networks, which allow multiple VLANs to be transmitted over a single link.

The specific configuration fields for additional networks are described in separate sections of the documentation.

To add a VLAN network attachment to a pod, you must specify the secondary network attachments through the k8s.v1.cni.cncf.io/networks annotation. This annotation allows you to provision a pod with multiple secondary attachments.

You can only use a NetworkAttachmentDefinition custom resource definition (CRD) with a vlan configuration on a single pod in a node because the CNI plugin cannot create multiple vlan subinterfaces with the same vlanId on the same master interface.

The CNI plugin configuration for a VLAN network attachment is specified in JSON format, and it requires the following parameters: cniVersion, name, type, master, vlanId, ipam, mtu, dns, and linkInContainer. The master interface is the Ethernet interface to associate with the network attachment, and the vlanId is the ID of the VLAN.

Curious to learn more? Check out: Pods in Openshift

The following table summarizes the CNI plugin configuration for a VLAN network attachment:

By following these steps and using the correct CNI plugin configuration, you can successfully configure pods for VLANs in OpenShift.

To create a VLAN attachment, you need to define the additional network configuration in the Cluster Network Operator (CNO) configuration.

You can specify the additional network configuration as part of the CNO configuration, which includes the name, namespace, and CNI plugin configuration in JSON format.

To create the VLAN attachment, you need to run the following command: $oc edit networks.operator.openshift.io cluster and modify the CR to add the configuration for the additional network.

You can also create a VLAN attachment by defining a NetworkAttachmentDefinition CRD, which can be managed by the CNO. This involves creating a YAML file containing the network attachment definition and then applying it to the cluster using the $oc apply command.

Consider reading: Openshift Command Line

Here is a summary of the required configuration parameters:

By following these steps, you can create a VLAN attachment and add it to your OpenShift cluster.

Creating multiple VLANs on SR-IOV VFs is a powerful feature that allows you to create multiple VLANs based on SR-IOV VFs. You'll need to have the OpenShift CLI (oc) installed and access to the cluster as a user with the cluster-admin role.

To start, create a dedicated container namespace where you want to deploy your pod by running the command: $oc new-project test-namespace. This will create a new namespace where you can deploy your pod.

You'll also need to have the SR-IOV Network Operator installed. This operator is required to create SR-IOV networks and VLANs.

To create an SR-IOV network, you'll need to create an SR-IOV node policy and then create the SR-IOV network. The SR-IOV network will be used as the basis for creating multiple VLANs.

Consider reading: Deploy Nfs Server on Openshift

Here's a step-by-step guide to creating multiple VLANs on SR-IOV VFs:

1. Create a dedicated container namespace: $oc new-project test-namespace

2. Create an SR-IOV node policy

3. Create an SR-IOV network

4. Create the VLAN additional network

5. Create a pod definition using the earlier specified networks

By following these steps, you can create multiple VLANs on SR-IOV VFs and deploy your pod in a dedicated container namespace.

Worth a look: What Is Openshift Container Platform

To add a VLAN network attachment to OpenShift, you'll need to create a YAML manifest. This manifest will specify the configuration for your additional network attachment. The name for the additional network attachment is specified in the first line of the YAML file.

A CNI plugin configuration in JSON format is required to define the network settings. This configuration will determine the IP addresses, MAC addresses, and other network details for your VLAN network attachment.

Here's an example of what the YAML manifest might look like:

The `cniConfig` field is where you'll specify the network settings for your VLAN network attachment. This will include details such as the IP addresses, MAC addresses, and gateway IPs for your network. With the YAML manifest in place, you can deploy your VLAN network attachment and start using it with your OpenShift cluster.

To add a VLAN network to OpenShift, you'll need to configure the Macvlan CNI plugin. The required configuration parameters for the Macvlan CNI plugin include the CNI specification version, which must be 0.3.1, and the name parameter, which should match the value provided for the CNO configuration.

The Macvlan CNI plugin configuration object also includes the type field, which must be set to "macvlan". You'll also need to configure the IPAM CNI plugin, which manages IP address assignment for the attachment definition. This involves creating an object for the ipam field.

Optional configuration parameters for the Macvlan CNI plugin include the mode field, which configures traffic visibility on the virtual network, and the master field, which specifies the host network interface to associate with the newly created macvlan interface.

IPvlan is a type of CNI plugin that allows for the creation of virtual networks. It's often used in containerized environments to provide network isolation and segmentation.

The configuration for an IPVLAN additional network requires a specific JSON object with certain fields. These fields include cniVersion, name, type, ipam, mode, master, mtu, and linkInContainer.

The cniVersion field is required and must be set to 0.3.1. This is a specific version of the CNI specification.

The name field is used to reference the CNO configuration. It's a string value that was provided previously.

The type field is set to ipvlan, which is the name of the CNI plugin being configured.

The ipam field is an object that contains the configuration for the IPAM CNI plugin. This plugin manages IP address assignment for the attachment definition.

The mode field is optional and can be set to l2, l3, or l3s. The default value is l2.

The master field is optional and specifies the Ethernet interface to associate with the network attachment.

The mtu field is optional and sets the maximum transmission unit (MTU) to the specified value. The default value is automatically set by the kernel.

The linkInContainer field is optional and specifies whether the master interface is in the container network namespace or the main network namespace.

Here's a summary of the IPVLAN CNI plugin JSON configuration object:

To configure a MACVLAN additional network, you'll need to specify the CNI plugin version and name. The CNI specification version must be 0.3.1, and the name should match the value provided for the CNO configuration.

The MACVLAN CNI plugin requires a JSON configuration object with several parameters. One of the required fields is `cniVersion`, which must be set to `0.3.1`. The `name` field should match the value provided for the CNO configuration.

The `type` field should be set to `macvlan`, which is the name of the CNI plugin to configure. The `ipam` field is an object that contains the configuration for the IPAM CNI plugin, which manages IP address assignment for the attachment definition.

You can configure traffic visibility on the virtual network by setting the `mode` field to either `bridge`, `passthru`, `private`, or `vepa`. If you don't specify a value, the default value is `bridge`.

On a similar theme: Openshift Version

If you want to associate a specific host network interface with the newly created macvlan interface, you can set the `master` field to the interface name. If you don't specify a value, the default route interface is used.

You can also set the maximum transmission unit (MTU) to a specified value by setting the `mtu` field. The default value is automatically set by the kernel.

Here's a summary of the required fields in the MACVLAN CNI plugin JSON configuration object:

If you specify the `master` key for the plugin configuration, use a different physical network interface than the one associated with your primary network plugin to avoid possible conflicts.

While adding a VLAN to OpenShift can bring many benefits, there are some limitations and considerations to keep in mind.

One major limitation is that VLANs can only be applied to pods that are created after the VLAN is added. This means that existing pods will not be automatically assigned to the VLAN.

Additionally, VLANs can add complexity to your network configuration, requiring careful planning and management to ensure that pods can communicate with each other and with external services.

VLAN settings are crucial to consider when working with VLANs in OpenShift. The CNI plugin requires a specific configuration for VLANs, which includes the CNI specification version, name, type, and master interface.

The CNI plugin version must be set to 0.3.1, as this is the required version for VLAN configuration. This is a must-have for VLAN configuration to work properly.

The master interface is the Ethernet interface associated with the network attachment. If not specified, the default network route interface is used. This is important to note, as it affects how the VLAN is configured.

Here are the key fields for VLAN CNI plugin JSON configuration:

It's worth noting that a NetworkAttachmentDefinition custom resource definition (CRD) with a vlan configuration can only be used on a single pod in a node, as the CNI plugin cannot create multiple vlan subinterfaces with the same vlanId on the same master interface.

When using macvlan network configuration, it's essential to be aware of its limitations. Macvlan is not a suitable choice for production environments.

In OpenShift, containers run in PODs on Nodes in the cluster. This means that applications (services) may be configured to run in Namespaces, but the underlying network configuration has limitations.

Macvlan is less performant than SR-IOV in OpenShift. This is a significant consideration for applications that require high network performance.

If you're using worker nodes as VMs in your private cloud, you'll need to have privileges to enable promiscuous mode on the virtual networks attached to the VM. This can be a challenge for some users.

The macvlan CNI plugin is not supported with SPK (Service Provider Kit). This is a key limitation to keep in mind when planning your network configuration.

Here are some key limitations of macvlan in OpenShift:

To create a VLAN additional network in OpenShift, you'll need to define a NetworkAttachmentDefinition custom resource (CRD). This CRD must be used only on a single pod in a node because the CNI plugin cannot create multiple VLAN subinterfaces with the same VLAN ID on the same master interface.

The CNI plugin JSON configuration object for a VLAN additional network is described in Table 4. This object includes fields such as cniVersion, name, type, master, vlanId, ipam, mtu, dns, and linkInContainer.

To create an additional network attachment with the Cluster Network Operator (CNO), you'll need to create a namespace for the additional networks and modify the CNO configuration. The CNO creates the NetworkAttachmentDefinition CRD automatically when you specify an additional network to create.

Here's a summary of the configuration parameters for a VLAN additional network: