Openshift

Networking

SDN

The default SDN is OpenShiftSDN which controls OpenVSwitch (OVS) to implement the CNI Kubernetes contract.

DNS

The default DNS provider is CoreDNS.

Network policy

The default OCP4 CNI plugin (OVS) supports network isolation through NetworkPolicy object.

By default every pod in a project can communicate with one another. To prevent a 'web' pod to communicate directly to a 'db' pod for instance, you would create NetworkPolicy objects to indicate the allowed incoming connections (ingress) for the db pod[1].

You can also defined network policy for egress traffic using egress policy type.
Egress

For egress traffic, the OpenShift SDN relies on “external routers” and/or on a tunnel interface on every OpenShift node that provides a NAT connection with the node’s host address.

ACI plugin

The ACI CNI Plugin for OCP provides integration between the APIC and one or more OpenShift cluster.

The plugin connects all pods to the integrated VXLAN overlay provided by Cisco. It models the cluster as a Virtual Machine Manager (VMM) Domain (one per OCP cluster) on the Cisco APIC.

Concepts

Project

A project is a Kubernetes namespace with additional annotations. A project allows a community of users to organize and manage their content in isolation from other communities

Route

Serve the same purpose as Kubernetes ingress (invented before).

When a Route object is created (by default) it gets picked up by a built-in HAProxy load balancer.

Since OCP3.10 a OpenShift ingress controller implementation exists to watch ingress objects and create one or more routes to fulfill the conditions specified.
Table 1. K8s relation
K8s Openshift

Namespace

Project

Ingress

Routes

Deployment

DeploymentConfig

Helm

Templates

Installation

Structure

3 types of nodes:

  • master

  • infrastructure

  • application

Prerequisite

  • Prerequisites

  • Host preparation

  • base DNS domain

  • 2 different network CIDRs, both virtual ranges:

    • the pod network osm_cluster_network_cidr

    • the services network openshift_portal_net

  • All of the hosts in the cluster need to be resolvable via DNS. If using a control node to serve as the ansible installer it too should be able to resolve all hosts in your cluster.

  • public master DNS openshift_master_cluster_public_hostname

  • internal master DNS openshift_master_cluster_hostname

Storage

ReadWriteOnce

Block storage as iSCI, Ceph EBS

ReadWriteMany

Shared storage such as GlusterFS

S2i

   s2i scripts (1)
-> source code (2)
-> builder image (3)
1 {assemble|run}
2 arg1 → /tmp/src
3 arg2

1. using a podSelector