Scribd
Upload
82 views29 pages

DevConf 2023 - OVN-Kubernetes - The New Default CNI of OpenShift

OVN-Kubernetes is the new default Container Network Interface (CNI) for OpenShift, replacing the legacy OpenShift-SDN starting from version 4.12. It provides a robust networking solution for Kubernetes clusters using Open Virtual Networking and Open Virtual Switch, allowing for seamless pod communication and flexible architecture for faster feature development. Key features include Egress IP, Egress Firewall, and support for hybrid overlay networking.

Uploaded by

magdyyasser389
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
82 views29 pages

DevConf 2023 - OVN-Kubernetes - The New Default CNI of OpenShift

OVN-Kubernetes is the new default Container Network Interface (CNI) for OpenShift, replacing the legacy OpenShift-SDN starting from version 4.12. It provides a robust networking solution for Kubernetes clusters using Open Virtual Networking and Open Virtual Switch, allowing for seamless pod communication and flexible architecture for faster feature development. Key features include Egress IP, Egress Firewall, and support for hybrid overlay networking.

Uploaded by

magdyyasser389
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

OVN-Kubernetes -

The new default CNI of OpenShift

Patryk Diak Surya Seetharaman


Senior Software Engineer, Senior Software Engineer,
OpenShift Networking Team OpenShift Networking Team

16/06/2023 1
Agenda
- Key things that will be covered in this session

➔ Kubernetes & OpenShift Networking - At a Glance

➔ What is OVN (Open Virtual Networking)-Kubernetes?

➔ Why did we move to using OVN-Kubernetes


◆ Differences between OVN-Kubernetes and its predecessor OpenShift-SDN (Software
Defined Networking)

➔ How are Kubernetes Networking constructs implemented in OVN-Kubernetes?


● OVN-K main components and network topology
● Pods and Services will be the focus
● Demo of OVN-K

16/06/2023 2
Kubernetes Networking

16/06/2023 3
Kubernetes Networking
- Where does OVN-Kubernetes belong in the Kubernetes world?

➔ Kubernetes Fundamental Networking requirements


◆ Every pod must have its own unique IP
◆ Pod to pod communication must be possible within the cluster without NAT(Network
Address Translation)ing
◆ Node to pod communication must be seamless
➔ Kubernetes Networking Model
◆ K8s is a bunch of APIs, it is plugin agnostic as far as networking is concerned
◆ Networking solutions are implemented on top of core K8s using Container Network
Interface (CNI) Specification
◆ OVN-Kubernetes is one such CNI (others include flannel, antrea, cilium, calico etc)

Kubernetes CNI Pod


eth0

16/06/2023 4
OpenShift Networking
OVN-Kubernetes became default CNI of OCP from 4.12 release

16/06/2023 5
OpenShift Networking
- Where does OVN-Kubernetes belong in the OpenShift world?

➔ OpenShift implements it’s networking fabric


using the Cluster Network Operator (CNO)

➔ CNO Supports 2 network types:


◆ OpenShift SDN - legacy default plugin
◆ OVN-Kubernetes - current default
plugin since 4.12 OCP

➔ Multus is a meta CNI plugin that allows pods


to have multiple interfaces by interfacing
with more than one type of CNI plugin

16/06/2023 6
OpenShift Networking
- Where does OVN-Kubernetes belong in the OpenShift world?

OPENSHIFT

KUBERNETES CNI

Tigera Isovalent kuryr-


OVNK OpenShift VMware VMware Juniper
Calico Cisco ACI Cilium kubernetes
SDN NCP Community
Antrea CN2 2
DEFAULT Core

Interoperability Support Matrix


Version 2023-05-17

16/06/2023 7
OVN-Kubernetes - What?

16/06/2023 8
OpenShift-SDN: Legacy Network Provider
- What is OpenShift - Software Defined Networking?
Kubernetes API

➔ OpenShift specific legacy CNI

➔ Uses iptables and OVS - Open Virtual Switch to configure the Kubernetes
networking OpenShift SDN

➔ Nodes in the cluster are connected using Virtual Extensible Local Area
Network (VXLAN) tunnels to provide overlay networking (east-west traffic)
OVS kube-proxy
➔ Runs kube-proxy on each node to provide support for Kubernetes
services

Kernel Networking
Stack

16/06/2023 9
OVN-Kubernetes
- Open Virtual Networking for Kubernetes a.k.a OVN-K8s

➔ Open Source project that provides a robust networking solution for


Kubernetes clusters

➔ Has OVN - Open Virtual Networking and OVS - Open Virtual Switch at
its core
◆ Uses them as the abstraction layers to manage cluster networking
traffic flows on the node

➔ Uses GENEVE (Generic Network Virtualization Encapsulation) protocol


between nodes to provide overlay networking (east-west traffic)

➔ Creates logical network topology per node and connects them


together
◆ logical routers, switches, pod ports

16/06/2023 10
Technology Highlights Comparison
Wait a Minute…! Does that look too familiar? If so, what changed and why did we move?

Legacy OpenShift SDN Plugin OVN-Kubernetes

Creates veth pairs Creates veth pairs

Creates an OVS switch Creates an OVS switch

Central IPAM controller Central IPAM controller

OVS flows for Network Policies OVS flows for Network Policies

VXLAN tunnels between nodes GENEVE tunnels between nodes

IPTable Rules for Services OVN constructs for Services

IPTable Rules for NATing OVN constructs for NATing

- veth - Virtual Ethernet


- IPAM - Internet Protocol Address Manager (here in context of allocating podIPs)

16/06/2023 11
OVN-Kubernetes - Why?

16/06/2023 12
Why did we move to OVN-K?
Easier*** development

➔ OVN as the new abstraction layer!


◆ SDN: Directly touching the openflows which was complicated
◆ OVN-K: Add human readable logical constructs closer to real world representations

13
16/06/2023
Why did we move to OVN-K?
Flexible Architecture close to real world representations

➔ OVN as the new abstraction layer!


◆ SDN: Directly touching the openflows which was complicated
◆ OVN-K: Add human readable logical constructs closer to real world representations

➔ OVNK has a flexible/expandable architecture that enables faster feature development

◆ SDN: IPTables (kube-proxy for services) is restrictive


◆ OVNK: We have an entire (OVN team) engine

14
16/06/2023
Why did we move to OVN-K?
Win-win at the community level

➔ OVN as the new abstraction layer!


◆ SDN: Directly touching the openflows which was complicated
◆ OVN-K: Add human readable logical constructs closer to real world representations

➔ OVNK has a flexible/expandable architecture that enables faster feature development

◆ SDN: IPTables (kube-proxy for services) is restrictive


◆ OVNK: We have an entire (OVN team) engine

➔ OVN-K is an open source project

◆ SDN: Was used only in OpenShift


◆ OVNK: Vibrant upstream community & easier alignment downstream

15
16/06/2023
OVN-Kubernetes - How?

16/06/2023 16
OVN-Kubernetes Architecture
- Components running in the Control Plane

➔ OVN-Kubernetes Master
ovnkube-master ◆ OVN-Kubernetes component
◆ Watches K8s API for objects - namespaces, pods, services,
endpoints, network policies
NBDB
◆ Translates K8s objects into OVN logical entities
◆ Stores OVN entities in NorthBoundDataBase (NBDB)
ovn-northd ◆ Manages pod subnet allocation to nodes (pod IPAM)

➔ OVN-Native components
◆ NBDB, Northd, SBDB, that translate these entities created
SBDB
by OVNK-Master into OVN logical (traffic) flows
control plane node

16/06/2023 17
OVN-Kubernetes Architecture
- Components running in the Control Plane

➔ OVN-Kubernetes Master
ovnkube-master ◆ OVN-Kubernetes component
◆ Watches K8s API for objects - namespaces, pods, services,
endpoints, network policies
NBDB
◆ Translates K8s objects into OVN logical entities
◆ Stores OVN entities in NorthBound Database (NBDB)
◆ Manages pod subnet allocation to nodes (pod IPAM)

➔ OVN-NorthBoundDataBase (NBDB)
◆ Native OVN component
◆ 3 replicas across control plane nodes
control plane node

16/06/2023 17
Mapping of Kubernetes objects to OVN entities
- NorthBoundDataBase contains the OVN logical Entities

Kubernetes Objects OVN Logical Entities

Node Switch, Router, Routes

Namespace Address-Sets (a collection of podIPs in OVN world)

Pod Logical Switch Ports, Address-Sets, NATs, Router Policies, Routes

Service, Endpoint Load Balancer

Network Policy,
Port Groups, Access Control List (ACL), Address-Sets
EgressFirewall

EgressIP, EgressService NAT, Router Policies

EgressQoS Logical Switch Quality Of Service (QoS) Rule

16/06/2023 18
OVN-Kubernetes Architecture
- Components running in the Control Plane

➔ OVN-Northd
ovnkube-master ◆ Native OVN component
◆ Reads changes in NBDB
◆ Translates the OVN logical entities into OVN logical
NBDB
flows
◆ Saves these flows into SBDB
ovn-northd
➔ OVN-SouthBoundDataBase (SBDB)
◆ Native OVN component
◆ 3 replicas across control plane nodes
SBDB

control plane node

16/06/2023
OVN-Kubernetes Architecture
- Components running in the Data Plane

➔ OVN-Kubernetes Node
ovn-controller ◆ OVN Kubernetes component
◆ Runs the CNI executable (CNI ADD/DEL)
◆ Digests the IPAM annotation set on pod by master
◆ Creates the veth pair for the pod
ovnkube-node OVS ◆ Creates the ovs port on bridge
➔ OVN and OVS native components
◆ OVN-Controller, OVS, that translate these entities
OVS bridge
created by control plane into OVS (traffic) flows

NIC
data plane node

16/06/2023 19
OVN-Kubernetes Architecture
- Components running in the Data Plane

➔ OVN-Kubernetes Node
ovn-controller ◆ OVN Kubernetes component
◆ Runs the CNI executable (CNI ADD/DEL)
◆ Digests the IPAM annotation set on pod by master
◆ Creates the veth pair for the pod
ovnkube-node OVS ◆ Creates the ovs port on bridge
➔ OVN-Controller
◆ OVN Native component
OVS bridge
◆ Connects to SBDB running in control plane using TLS
◆ Converts SBDB logical flows into openflows
NIC
data plane node ◆ Write them to OVS

16/06/2023
OVN-Kubernetes Architecture
- Components running in the Data Plane

➔ Open vSwitch
ovn-controller ◆ OVS Native component
◆ OVS process run via systemd on the host
◆ virtual switch that pushes the network plumbing to the
edge on the node
ovnkube-node OVS

OVS bridge

NIC
data plane node

16/06/2023
OVN-Kubernetes Demo

16/06/2023 20
OVN-Kubernetes
Networking Topology

16/06/2023 21
22
Additional Features in OVN-Kubernetes
■ Egress IP
○ ensure that the traffic from selected pods has a consistent source IP
address for services outside the cluster network

16/06/2023 23
Additional Features in OVN-Kubernetes
■ Egress Firewall

○ Restricts egress traffic leaving OpenShift cluster

○ Allows users to specify DNS names that resolve to an IP

■ Hybrid overlay

○ Allow networking in a cluster consisting of both Windows and Linux


nodes

■ And more…

16/06/2023 24
Thank You
Q&A?

16/06/2023 25

You might also like