1 .. contents:: Table of Contents
4 =======================
5 Netvirt COE Integration
6 =======================
8 https://git.opendaylight.org/gerrit/#/q/topic:coe_integration
10 This spec proposes how to integrate COE and Netvirt projects for enabling
11 networking(L2 and L3 support) for containers.
13 COE(Container Orchestration Engine) project aims at developing a framework for integrating
14 Container Orchestration Engine (like Kubernetes) and OpenDaylight. Netvirt will serve as
15 the backend for COE, as Netvirt provides generic enough constructs which will work
16 for VMs as well as Containers.
21 Current Netvirt project does not have a driver that will work with Kubernetes baremetal cluster.
22 COE project aims at enabling the same, and will require a plugin in Netvirt project
23 to convert the events from Kubernetes to the required constructs in Netvirt.
27 k8s imposes some fundamental requirements on the networking implementation:
29 * All containers can communicate without NAT.
31 * All nodes can communicate with containers without NAT.
33 * The IP the container sees itself is the same IP that others see.
35 The Kubernetes model is for each pod to have an IP in a flat shared namespace
36 that allows full communication with physical computers and containers across
39 High-Level Components:
40 ======================
42 The high level view of the end to end solution is given in the below picture :
44 .. image:: images/coe-netvirt-integration-components.PNG
50 A new module called `coe` will be added in Netvirt which will serve as the watcher
51 for all the container orchestration related events. This module will be responsible for
52 converting the COE related constructs to Netvirt constructs.
60 COE will be using DHCP dynamic allocation feature in Netvirt, which has some missing parts
61 for the integration to work. DHCP module's bind service logic so far works only for neutron ports.
62 This has to be enhanced to work for k8s pods as well.
67 ARP responder logic of Netvirt works only for neutron ports, this needs enhancements to work with
68 k8s ports, so that ARP responses can be sent from OVS directly, without the need for sending the same
77 IntefaceManager currently treats only nova port patterns(tap/vhu) as well as tunnel port patterns as
78 unique. For any other portnames datapath-node-id will be prefixed to the port-name. CNI plugin
79 creates unique ports which starts with "veth" prefix, and this needs to be added to the set of unique
80 port patterns in Genius.
87 This will enable default Kubernetes behavior to allow all
88 traffic from all sources inside or outside the cluster to all pods within the
89 cluster. This use case does not add multi-tenancy support.
93 Network isolation policy will impose limitations on the connectivity from an optional set of
94 traffic sources to an optional set of destination TCP/UDP ports.
95 Regardless of network policy, pods should be accessible by the host on which
96 they are running to allow local health checks. This use case does not address
99 More enhanced use cases can be added in the future, that will allow to add
106 In order to support Kubernetes networking via Netvirt, we should define how
107 COE model maps into Netvirt model.
110 +-----------------+-------------------+---------------------------------------+
111 | **COE entity** | **Netvirt entity**| **notes** |
112 +=================+===================+=======================================+
113 |node + namespace | elan-instance | Whenever the first pod under |
114 | | | a namespace in a node is created,an |
115 | | | elan-instance has to be created. |
116 +-----------------+-------------------+---------------------------------------+
117 |namespace | vpn-instance | Whenever the first pod under a |
118 | | | namespace is created, a vpn-instance |
119 | | | has to be created. |
120 +-----------------+-------------------+---------------------------------------+
121 |pod | elan-interface | For each pod created, an |
122 | | | elan-interface has to be created, |
123 | | | based on its node and namespace |
124 +-----------------+-------------------+---------------------------------------+
125 |pod | vpn-interface | For each pod created, a |
126 | | | vpn-interface has to be created, |
127 | | | based on its namespace |
128 +-----------------+-------------------+---------------------------------------+
133 No pipeline changes will be introduced as part of this feature.
138 Configure DHCP Pool(Optional)
139 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
140 #. netvirt/dhcpmanager: For an immediate solution, a flat dhcp pool will be precreated
141 manually, and IPs will be allocated for PODs from this pool.
142 #. netvirt/dhcpmanager: For an immediate solution, a flat service pool will be precreated
143 manually, and IPs will be allocated for SERVICEs from this pool.
147 #. coe/coe-northbound: User created a POD
148 #. netvirt/coe: When the first POD is created under a namespace in a node, coe module in Netvirt will
149 create an elan-instance with node-ip:namespace as the name. Also, for each POD, an ietf-interface
150 as well as an elan-interface objects will be created in the MD-SAL datastore, with name
151 set as "namespace:pod-name".
152 #. netvirt/coe: When the first POD is created under a namespace, coe module in Netvirt will
153 create a vpn-instance with namespace as the name. Also, for each POD, a vpn-interface object
154 will be created in the MD-SAL datastore with name set as "namespace:pod-name".
155 #. coe/cni-plugin: The cni plugin in k8s will create the tap port on the OVS with external-id
156 set to the "namespace:pod-name".
157 #. genius/interfacemanager: Whenever the tapport is created, interfacemanager will take care of
158 programming table0(Lport Ingress Table) and table220(Egress Dispatcher Table) programming,
159 and population of interface-state.
160 #. netvirt/elanmanager: Whenever interface-state is created, elanmanager will take care of
161 populating all L2 related flows in OVS.
162 #. netvirt/vpnmanager: Whenever interface-state is created, vpnmanager will take care of
163 populating all L3 related flows in OVS.
168 #. netvirt/coe: When a pod is attached to a service, floating-ip-info has to be populated
169 #. netvirt/natmanager: Listens on floating-ip-changes and do the NATing as it is done currently.
174 #. netvirt/coe: When a pod is removed from a service, corresponding floating-ip-info will be removed.
175 #. netvirt/natmanager: Listens on floating-ip-changes and remove the NAT rules approporiately.
180 #. coe/coe-northbound: User deleted a POD
181 #. netvirt/coe: When the last POD is deleted under a namespace in a node, coe module in Netvirt will
182 delete the elan-instance with namespace as the name. Also, for each POD, the corresponding ietf-interface
183 as well as an elan-interface and vpn-interface objects will be deleted in the MD-SAL datastore.
184 #. coe/cni-plugin: The cni plugin in k8s will delete the tap port on the OVS.
185 #. genius/interfacemanager: Whenever the tapport is deleted, interfacemanager will take care of
186 deleting table0(Lport Ingress Table) and table220(Egress Dispatcher Table)
187 flows on OVS, and deletion of interface-state.
188 #. netvirt/elanmanager: Whenever interface-state is deleted, elanmanager will take care of
189 removing all L2 related flows in OVS.
190 #. netvirt/vpnmanager: Whenever interface-state is deleted, vpnmanager will take care of
191 removing all L3 related flows in OVS.
199 This feature support all the following Reboot Scenarios for EVPN:
200 * Entire Cluster Reboot
202 * Candidate PL reboot
203 * OVS Datapath reboots
204 * Multiple PL reboots
205 * Multiple Cluster reboots
206 * Multiple reboots of the same OVS Datapath.
207 * Openstack Controller reboots
209 Clustering considerations
210 -------------------------
211 The feature should operate in ODL Clustered environment reliably.
213 Other Infra considerations
214 --------------------------
217 Security considerations
218 -----------------------
221 Scale and Performance Impact
222 ----------------------------
223 Not covered by this Design Document.
231 An alternative for container networking is to use kuryr-kubernetes which will
232 work with ODL as backend. However the same will not work in an environement where Openstack
233 is not present. There are scenarios where Baremetal Kubernetes clusters have to work without
234 Openstack, and this feature comes into picture there.
241 This feature add the below new feature :
251 **URL:** restconf/config/dhcp_allocation_pool:dhcp_allocation_pool/
258 "dhcp_allocation_pool:network": [
260 "dhcp_allocation_pool:allocation-pool": [
262 "dhcp_allocation_pool:subnet": "192.168.10.0/24",
263 "dhcp_allocation_pool:allocate-to": "192.168.10.50",
264 "dhcp_allocation_pool:gateway": "192.168.10.2",
265 "dhcp_allocation_pool:allocate-from": "192.168.10.3"
268 "dhcp_allocation_pool:network-id": "pod-namespace"
273 Creating POD directly in COE
274 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
276 **URL:** restconf/config/pod:coe
285 "pod:version": "Some version",
286 "pod:uid": "AC092D9B-E9Eb-BAE2-eEd8-74Aca2B7Fa9C",
289 "pod:uid": "7bA91A3A-f17E-2eBB-eDec-3BBBEa27DCa7",
290 "pod:ip-address": "0.147.0.7",
291 "pod:network-id": "fBAD80df-B0B4-0580-8D14-11FcaCED2ac6",
292 "pod:network-type": "FLAT",
293 "pod:segmentation-id": "0"
300 Creating SERVICE directly in COE
301 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
303 **URL:** restconf/config/service:service-information
310 "service:service-information": {
311 "service:services": [
313 "service:uid": "EeafFFB7-D9Fc-aAeD-FBc9-8Af8BFaacDD9",
314 "service:cluster-ip-address": "5.21.5.0",
315 "service:endpoints": [
316 "AFbcF0EB-Fc3f-acea-A438-5CFDfCEfbcb0"
327 Faseela K <faseela.k@ericsson.com>
330 Frederick Kautz <fkautz@redhat.com>
332 Mohamed El-serngawy <m.elserngawy@gmail.com>
346 This feature will support following use cases:
348 * TC 1: Create a POD within a node under a namespace
349 * TC 2: Attach a POD to service
350 * TC 3: Remove a POD from service
351 * TC 4: Delete a POD from a namespace
355 CSIT will be enhanced to cover this feature by providing new CSIT tests.
359 This will require changes to User Guide and Developer Guide.
364 * OpenStack Spec - https://review.openstack.org/#/c/453160
365 * kuryr k8s integration - https://review.openstack.org/#/c/281132/14/doc/source/specs/mitaka/kuryr_k8s_integration.rst
366 * cni plugin proposal - https://docs.google.com/presentation/d/1-gBGZ1zQQ1d9-ZLPuBbWx5PTb9MgxduRoAl2Z7gL2Zo/edit#slide=id.g29f465fad4_0_86
367 * coe cni specification - https://docs.google.com/presentation/d/1DPfRSc11CzTa_qzvzQ-P7wQH0dPylag4eYT9sH06ajg/edit#slide=id.p