Configuring Kuryr SDN

You are viewing documentation for a release that is no longer supported. The latest supported version of version 3 is [3.11]. For the most recent version 4, see [4]

You are viewing documentation for a release that is no longer supported. The latest supported version of version 3 is [3.11]. For the most recent version 4, see [4]

Kuryr SDN and OKD

Prior to OKD 3.10.119, the ability to configure Kuryr SDN is a Technology Preview feature.

Kuryr (or more specifically Kuryr-Kubernetes) is an SDN solution built using CNI and OpenStack Neutron. Its advantages include being able to use a wide range of Neutron SDN backends and providing inter-connectivity between Kubernetes pods and OpenStack virtual machines (VMs).

Kuryr-Kubernetes and OKD integration is primarily designed for OKD clusters running on OpenStack VMs. Kuryr-Kubernetes components are installed as pods on OKD in the openshift-infra namespace:

  • kuryr-controller - a single service instance, installed on any node. Modeled in OKD as a Deployment.

  • kuryr-cni - container installing and configuring Kuryr as CNI driver on each OKD node. Modeled in OKD as a DaemonSet.

Installation

The system running openshift-ansible must be subscribed to the OSP as well as OCP repositories. The OpenStack integration requires a few extra packages. To install the dependencies, run:

  1. $ sudo yum install -y ansible openshift-ansible python2-shade python-dns \
  2.     python2-heatclient python2-octaviaclient python-openstackclient bind-utils

In the Ansible nodes file, specify the following parameters in order to set up Kuryr-Kubernetes as the network plug-in:

  1.  # Enable Kuryr.
  2.  openshift_use_openshift_sdn=False
  3.  openshift_use_kuryr=True
  4.  os_sdn_network_plugin_name=cni
  6.  # Set userspace so that there are no iptables remains.
  7.  openshift_node_proxy_mode='userspace'
  9.  # Keystone URL.
  10.  kuryr_openstack_auth_url=http://127.0.0.1/identity
  12.  # OpenStack domain name of user owning Kuryr resources.
  13.  kuryr_openstack_user_domain_name=default
  15.  # OpenStack project name of user owning Kuryr resources.
  16.  kuryr_openstack_user_project_name=admin
  18.  # OpenStack project id for Kuryr resources.
  19.  kuryr_openstack_project_id=ec0b31802fd043c08bc15b74d2f9a3d3
  21.  # OpenStack username that will own kuryr resources.
  22.  kuryr_openstack_username=admin
  24.  # Password for that user.
  25.  kuryr_openstack_password=password
  27.  # Default Neutron security groups' IDs for Kubernetes pods
  28.  kuryr_openstack_pod_sg_id=f74c83a8-a520-421a-930e-21b6cd098c6a,01f85594-9950-4ded-a92c-5ad546a41188
  30.  # Default Neutron subnet ID for Kubernetes pods.
  31.  kuryr_openstack_pod_subnet_id=c85cdee6-0ed1-4d8f-ae61-7afa4674b311
  33.  # Default OpenStack project ID for Kubernetes resources.
  34.  kuryr_openstack_pod_project_id=ec0b31802fd043c08bc15b74d2f9a3d3
  36.  # Neutron subnet ID for Kubernetes worker node VMs.
  37.  kuryr_openstack_worker_nodes_subnet_id=477cfa49-e641-4d31-a7b5-5bc834743f61
  39.  # Default Neutron subnet ID for Kubernetes services.
  40.  kuryr_openstack_service_subnet_id=3b31a106-4084-4db9-bc0c-00b97afe186e

You must also specify an OpenStack cloud provider as described in the OpenStack configuration documentation.

Prior to the installation, you must also provide a DNS server the OKD nodes will be using for internal name resolution. OpenStack does not provide a node name resolution out of the box. In the following example, 10.20.30.40 is the IP address of the DNS server:

  1. openshift_openstack_dns_nameservers=[10.20.30.40]

If the DNS server supports remote updates via nsupdate (RFC 2136), the playbooks can populate it automatically, if you add the following configuration:

  1. openshift_openstack_external_nsupdate_keys={private: {"key_secret": "<nsupdate key>", "key_algorithm": "<nsupdate key algorithm>", "key_name": "<nsupdate key name>", "server": 10.20.30.40}}

Finally, install OKD by running the provision_install.yml playbook. You must specify the dynamic inventory file, inventory.py, and the the path to the Ansible nodes file that you created:

  1. $ ansible-playbook --user openshift -i /usr/share/ansible/openshift-ansible/playbooks/openstack/inventory.py -i ansible-nodes.txt /usr/share/ansible/openshift-ansible/playbooks/openstack/openshift-cluster/provision_install.yml

If you want to do any custom setup on the created nodes before the OKD installation, you can run the provision.yml and install.yml playbooks separately. provision.yml will create the OpenStack resources (nodes, networks, and so on) and install.yml will install OKD.

Verification

Once the installation of OKD is finished, you can check if Kuryr pods are deployed successfully:

  1. $ oc -n openshift-infra get pods -o wide
  2. NAME                                READY     STATUS    RESTARTS   AGE       IP              NODE
  3. bootstrap-autoapprover-0            1/1       Running   0          3d        10.11.0.7       master-0.openshift.example.com
  4. kuryr-cni-ds-66kt2                  2/2       Running   0          3d        192.168.99.14   infra-node-0.openshift.example.com
  5. kuryr-cni-ds-ggcpz                  2/2       Running   0          3d        192.168.99.16   master-0.openshift.example.com
  6. kuryr-cni-ds-mhzjt                  2/2       Running   0          3d        192.168.99.6    app-node-1.openshift.example.com
  7. kuryr-cni-ds-njctb                  2/2       Running   0          3d        192.168.99.12   app-node-0.openshift.example.com
  8. kuryr-cni-ds-v8hp8                  2/2       Running   0          3d        192.168.99.5    infra-node-1.openshift.example.com
  9. kuryr-controller-59fc7f478b-qwk4k   1/1       Running   0          3d        192.168.99.5    infra-node-1.openshift.example.com

kuryr-cni pods should run on every OKD node. Single kuryr-controller instances should run on any of the nodes.

Network policies, namespace isolation and nodeport services are not supported when Kuryr SDN is enabled.