Openshift
Networking
SDN
The default SDN is OpenShiftSDN which controls OpenVSwitch (OVS) to implement the CNI Kubernetes contract.
Network policy
The default OCP4 CNI plugin (OVS) supports network isolation through NetworkPolicy object.
By default every pod in a project can communicate with one another. To prevent a 'web' pod to communicate directly to a 'db' pod for instance, you would create NetworkPolicy objects to indicate the allowed incoming connections (ingress) for the db pod[1].
| You can also defined network policy for egress traffic using egress policy type. |
For egress traffic, the OpenShift SDN relies on “external routers” and/or on a tunnel interface on every OpenShift node that provides a NAT connection with the node’s host address.
Concepts
- Project
-
A project is a Kubernetes namespace with additional annotations. A project allows a community of users to organize and manage their content in isolation from other communities
- Route
-
Serve the same purpose as Kubernetes ingress (invented before).
When a Route object is created (by default) it gets picked up by a built-in HAProxy load balancer.
Since OCP3.10 a OpenShift ingress controller implementation exists to watch ingress objects and create one or more routes to fulfill the conditions specified.
| K8s | Openshift |
|---|---|
Namespace |
Project |
Ingress |
Routes |
Deployment |
DeploymentConfig |
Helm |
Templates |
Installation
Prerequisite
-
base DNS domain
-
2 different network CIDRs, both virtual ranges:
-
the pod network
osm_cluster_network_cidr -
the services network
openshift_portal_net
-
-
All of the hosts in the cluster need to be resolvable via DNS. If using a control node to serve as the ansible installer it too should be able to resolve all hosts in your cluster.
-
public master DNS
openshift_master_cluster_public_hostname -
internal master DNS
openshift_master_cluster_hostname
S2i
s2i scripts (1) -> source code (2) -> builder image (3)
| 1 | {assemble|run} |
| 2 | arg1 → /tmp/src |
| 3 | arg2 |