Attaching a pod to an additional network

As a cluster user you can attach a pod to an additional network.

Adding a pod to an additional network

You can add a pod to an additional network. The pod continues to send normal cluster-related network traffic over the default network.

When a pod is created additional networks are attached to it. However, if a pod already exists, you cannot attach additional networks to it.

The pod must be in the same namespace as the additional network.

Prerequisites

  • Install the OpenShift CLI (oc).

  • Log in to the cluster.

Procedure

  1. Add an annotation to the Pod object. Only one of the following annotation formats can be used:

    1. To attach an additional network without any customization, add an annotation with the following format. Replace <network> with the name of the additional network to associate with the pod:

      1. metadata:
      2. annotations:
      3. k8s.v1.cni.cncf.io/networks: <network>[,<network>,...] (1)
      1To specify more than one additional network, separate each network with a comma. Do not include whitespace between the comma. If you specify the same additional network multiple times, that pod will have multiple network interfaces attached to that network.
    2. To attach an additional network with customizations, add an annotation with the following format:

      1. metadata:
      2. annotations:
      3. k8s.v1.cni.cncf.io/networks: |-
      4. [
      5. {
      6. "name": "<network>", (1)
      7. "namespace": "<namespace>", (2)
      8. "default-route": ["<default-route>"] (3)
      9. }
      10. ]
      1Specify the name of the additional network defined by a NetworkAttachmentDefinition object.
      2Specify the namespace where the NetworkAttachmentDefinition object is defined.
      3Optional: Specify an override for the default route, such as 192.168.17.1.
  2. To create the pod, enter the following command. Replace <name> with the name of the pod.

    1. $ oc create -f <name>.yaml
  3. Optional: To Confirm that the annotation exists in the Pod CR, enter the following command, replacing <name> with the name of the pod.

    1. $ oc get pod <name> -o yaml

    In the following example, the example-pod pod is attached to the net1 additional network:

    1. $ oc get pod example-pod -o yaml
    2. apiVersion: v1
    3. kind: Pod
    4. metadata:
    5. annotations:
    6. k8s.v1.cni.cncf.io/networks: macvlan-bridge
    7. k8s.v1.cni.cncf.io/networks-status: |- (1)
    8. [{
    9. "name": "openshift-sdn",
    10. "interface": "eth0",
    11. "ips": [
    12. "10.128.2.14"
    13. ],
    14. "default": true,
    15. "dns": {}
    16. },{
    17. "name": "macvlan-bridge",
    18. "interface": "net1",
    19. "ips": [
    20. "20.2.2.100"
    21. ],
    22. "mac": "22:2f:60:a5:f8:00",
    23. "dns": {}
    24. }]
    25. name: example-pod
    26. namespace: default
    27. spec:
    28. ...
    29. status:
    30. ...
    1The k8s.v1.cni.cncf.io/networks-status parameter is a JSON array of objects. Each object describes the status of an additional network attached to the pod. The annotation value is stored as a plain text value.

Specifying pod-specific addressing and routing options

When attaching a pod to an additional network, you may want to specify further properties about that network in a particular pod. This allows you to change some aspects of routing, as well as specify static IP addresses and MAC addresses. In order to accomplish this, you can use the JSON formatted annotations.

Prerequisites

  • The pod must be in the same namespace as the additional network.

  • Install the OpenShift Command-line Interface (oc).

  • You must log in to the cluster.

Procedure

To add a pod to an additional network while specifying addressing and/or routing options, complete the following steps:

  1. Edit the Pod resource definition. If you are editing an existing Pod resource, run the following command to edit its definition in the default editor. Replace <name> with the name of the Pod resource to edit.

    1. $ oc edit pod <name>
  2. In the Pod resource definition, add the k8s.v1.cni.cncf.io/networks parameter to the pod metadata mapping. The k8s.v1.cni.cncf.io/networks accepts a JSON string of a list of objects that reference the name of NetworkAttachmentDefinition custom resource (CR) names in addition to specifying additional properties.

    1. metadata:
    2. annotations:
    3. k8s.v1.cni.cncf.io/networks: '[<network>[,<network>,...]]' (1)
    1Replace <network> with a JSON object as shown in the following examples. The single quotes are required.
  3. In the following example the annotation specifies which network attachment will have the default route, using the default-route parameter.

    1. apiVersion: v1
    2. kind: Pod
    3. metadata:
    4. name: example-pod
    5. annotations:
    6. k8s.v1.cni.cncf.io/networks: '
    7. {
    8. "name": "net1"
    9. },
    10. {
    11. "name": "net2", (1)
    12. "default-route": ["192.0.2.1"] (2)
    13. }'
    14. spec:
    15. containers:
    16. - name: example-pod
    17. command: ["/bin/bash", "-c", "sleep 2000000000000"]
    18. image: centos/tools
    1The name key is the name of the additional network to associate with the pod.
    2The default-route key specifies a value of a gateway for traffic to be routed over if no other routing entry is present in the routing table. If more than one default-route key is specified, this will cause the pod to fail to become active.

The default route will cause any traffic that is not specified in other routes to be routed to the gateway.

Setting the default route to an interface other than the default network interface for OKD may cause traffic that is anticipated for pod-to-pod traffic to be routed over another interface.

To verify the routing properties of a pod, the oc command may be used to execute the ip command within a pod.

  1. $ oc exec -it <pod_name> -- ip route

You may also reference the pod’s k8s.v1.cni.cncf.io/networks-status to see which additional network has been assigned the default route, by the presence of the default-route key in the JSON-formatted list of objects.

To set a static IP address or MAC address for a pod you can use the JSON formatted annotations. This requires you create networks that specifically allow for this functionality. This can be specified in a rawCNIConfig for the CNO.

  1. Edit the CNO CR by running the following command:

    1. $ oc edit networks.operator.openshift.io cluster

The following YAML describes the configuration parameters for the CNO:

Cluster Network Operator YAML configuration

  1. name: <name> (1)
  2. namespace: <namespace> (2)
  3. rawCNIConfig: '{ (3)
  4. ...
  5. }'
  6. type: Raw
1Specify a name for the additional network attachment that you are creating. The name must be unique within the specified namespace.
2Specify the namespace to create the network attachment in. If you do not specify a value, then the default namespace is used.
3Specify the CNI plug-in configuration in JSON format, which is based on the following template.

The following object describes the configuration parameters for utilizing static MAC address and IP address using the macvlan CNI plug-in:

macvlan CNI plug-in JSON configuration object using static IP and MAC address

  1. {
  2. "cniVersion": "0.3.1",
  3. "name": "<name>", (1)
  4. "plugins": [{ (2)
  5. "type": "macvlan",
  6. "capabilities": { "ips": true }, (3)
  7. "master": "eth0", (4)
  8. "mode": "bridge",
  9. "ipam": {
  10. "type": "static"
  11. }
  12. }, {
  13. "capabilities": { "mac": true }, (5)
  14. "type": "tuning"
  15. }]
  16. }
1Specifies the name for the additional network attachment to create. The name must be unique within the specified namespace.
2Specifies an array of CNI plug-in configurations. The first object specifies a macvlan plug-in configuration and the second object specifies a tuning plug-in configuration.
3Specifies that a request is made to enable the static IP address functionality of the CNI plug-in runtime configuration capabilities.
4Specifies the interface that the macvlan plug-in uses.
5Specifies that a request is made to enable the static MAC address functionality of a CNI plug-in.

The above network attachment can be referenced in a JSON formatted annotation, along with keys to specify which static IP and MAC address will be assigned to a given pod.

Edit the pod with:

  1. $ oc edit pod <name>

macvlan CNI plug-in JSON configuration object using static IP and MAC address

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4. name: example-pod
  5. annotations:
  6. k8s.v1.cni.cncf.io/networks: '[
  7. {
  8. "name": "<name>", (1)
  9. "ips": [ "192.0.2.205/24" ], (2)
  10. "mac": "CA:FE:C0:FF:EE:00" (3)
  11. }
  12. ]'
1Use the <name> as provided when creating the rawCNIConfig above.
2Provide an IP address including the subnet mask.
3Provide the MAC address.

Static IP addresses and MAC addresses do not have to be used at the same time, you may use them individually, or together.

To verify the IP address and MAC properties of a pod with additional networks, use the oc command to execute the ip command within a pod.

  1. $ oc exec -it <pod_name> -- ip a