Updating node network configuration

    OpenShift Container Platform uses to report on and configure the state of the node network. This makes it possible to modify network policy configuration, such as by creating a Linux bridge on all nodes, by applying a single configuration manifest to the cluster.

    Node networking is monitored and updated by the following objects:

    NodeNetworkState

    Reports the state of the network on that node.

    NodeNetworkConfigurationPolicy

    Describes the requested network configuration on nodes. You update the node network configuration, including adding and removing interfaces, by applying a NodeNetworkConfigurationPolicy manifest to the cluster.

    NodeNetworkConfigurationEnactment

    Reports the network policies enacted upon each node.

    OpenShift Container Platform supports the use of the following nmstate interface types:

    • Linux Bridge

    • VLAN

    • Bond

    • Ethernet

    Creating an interface on nodes

    Create an interface on nodes in the cluster by applying a NodeNetworkConfigurationPolicy manifest to the cluster. The manifest details the requested configuration for the interface.

    By default, the manifest applies to all nodes in the cluster. To add the interface to specific nodes, add the spec: nodeSelector parameter and the appropriate <key>:<value> for your node selector.

    You can configure multiple nmstate-enabled nodes concurrently. The configuration applies to 50% of the nodes in parallel. This strategy prevents the entire cluster from being unavailable if the network connection fails. To apply the policy configuration in parallel to a specific portion of the cluster, use the maxUnavailable field.

    Procedure

    1. Create the NodeNetworkConfigurationPolicy manifest. The following example configures a Linux bridge on all worker nodes and configures the DNS resolver:

      1Name of the policy.
      2Optional: If you do not include the nodeSelector parameter, the policy applies to all nodes in the cluster.
      3This example uses the node-role.kubernetes.io/worker: “” node selector to select all worker nodes in the cluster.
      4Optional: Specifies the maximum number of nmstate-enabled nodes that the policy configuration can be applied to concurrently. This parameter can be set to either a percentage value (string), for example, “10%”, or an absolute value (number), such as 3.
      5Optional: Human-readable description for the interface.
      6Optional: Specifies the search and server settings for the DNS server.
    2. Create the node network policy:

      1. $ oc apply -f br1-eth1-policy.yaml (1)
      1File name of the node network configuration policy manifest.

    Confirming node network policy updates on nodes

    A NodeNetworkConfigurationPolicy manifest describes your requested network configuration for nodes in the cluster. The node network policy includes your requested network configuration and the status of execution of the policy on the cluster as a whole.

    When you apply a node network policy, a NodeNetworkConfigurationEnactment object is created for every node in the cluster. The node network configuration enactment is a read-only object that represents the status of execution of the policy on that node. If the policy fails to be applied on the node, the enactment for that node includes a traceback for troubleshooting.

    Procedure

    1. To confirm that a policy has been applied to the cluster, list the policies and their status:

      1. $ oc get nncp
    2. Optional: If a policy is taking longer than expected to successfully configure, you can inspect the requested state and status conditions of a particular policy:

      1. $ oc get nncp <policy> -o yaml
    3. Optional: If a policy is taking longer than expected to successfully configure on all nodes, you can list the status of the enactments on the cluster:

      1. $ oc get nnce
    4. Optional: To view the configuration of a particular enactment, including any error reporting for a failed configuration:

      1. $ oc get nnce <node>.<policy> -o yaml

    You can remove an interface from one or more nodes in the cluster by editing the NodeNetworkConfigurationPolicy object and setting the state of the interface to absent.

    Removing an interface from a node does not automatically restore the node network configuration to a previous state. If you want to restore the previous state, you will need to define that node network configuration in the policy.

    If you remove a bridge or bonding interface, any node NICs in the cluster that were previously attached or subordinate to that bridge or bonding interface are placed in a down state and become unreachable. To avoid losing connectivity, configure the node NIC in the same policy so that it has a status of up and either DHCP or a static IP address.

    Deleting the node network policy that added an interface does not change the configuration of the policy on the node. Although a NodeNetworkConfigurationPolicy is an object in the cluster, it only represents the requested configuration.
    Similarly, removing an interface does not delete the policy.

    Procedure

    1. Update the NodeNetworkConfigurationPolicy manifest used to create the interface. The following example removes a Linux bridge and configures the eth1 NIC with DHCP to avoid losing connectivity:

      1Name of the policy.
      2Optional: If you do not include the nodeSelector parameter, the policy applies to all nodes in the cluster.
      3This example uses the node-role.kubernetes.io/worker: “” node selector to select all worker nodes in the cluster.
      4Changing the state to absent removes the interface.
      5The name of the interface that is to be unattached from the bridge interface.
      6The type of interface. This example creates an Ethernet networking interface.
      7The requested state for the interface.
      8Optional: If you do not use dhcp, you can either set a static IP or leave the interface without an IP address.
      9Enables ipv4 in this example.
    2. Update the policy on the node and remove the interface:

      1. $ oc apply -f <br1-eth1-policy.yaml> (1)

    Example policy configurations for different interfaces

    Create a Linux bridge interface on nodes in the cluster by applying a NodeNetworkConfigurationPolicy manifest to the cluster.

    The following YAML file is an example of a manifest for a Linux bridge interface. It includes samples values that you must replace with your own information.

    1. apiVersion: nmstate.io/v1
    2. kind: NodeNetworkConfigurationPolicy
    3. metadata:
    4. name: br1-eth1-policy (1)
    5. spec:
    6. nodeSelector: (2)
    7. kubernetes.io/hostname: <node01> (3)
    8. desiredState:
    9. interfaces:
    10. - name: br1 (4)
    11. description: Linux bridge with eth1 as a port (5)
    12. type: linux-bridge (6)
    13. state: up (7)
    14. ipv4:
    15. dhcp: true (8)
    16. enabled: true (9)
    17. bridge:
    18. options:
    19. stp:
    20. enabled: false (10)
    21. port:
    22. - name: eth1 (11)
    1Name of the policy.
    2Optional: If you do not include the nodeSelector parameter, the policy applies to all nodes in the cluster.
    3This example uses a hostname node selector.
    4Name of the interface.
    5Optional: Human-readable description of the interface.
    6The type of interface. This example creates a bridge.
    7The requested state for the interface after creation.
    8Optional: If you do not use dhcp, you can either set a static IP or leave the interface without an IP address.
    9Enables ipv4 in this example.
    10Disables stp in this example.
    11The node NIC to which the bridge attaches.

    Example: VLAN interface node network configuration policy

    Create a VLAN interface on nodes in the cluster by applying a NodeNetworkConfigurationPolicy manifest to the cluster.

    The following YAML file is an example of a manifest for a VLAN interface. It includes samples values that you must replace with your own information.

    1. apiVersion: nmstate.io/v1
    2. kind: NodeNetworkConfigurationPolicy
    3. metadata:
    4. name: vlan-eth1-policy (1)
    5. spec:
    6. nodeSelector: (2)
    7. kubernetes.io/hostname: <node01> (3)
    8. desiredState:
    9. interfaces:
    10. description: VLAN using eth1 (5)
    11. type: vlan (6)
    12. state: up (7)
    13. vlan:
    14. id: 102 (9)
    1Name of the policy.
    2Optional: If you do not include the nodeSelector parameter, the policy applies to all nodes in the cluster.
    3This example uses a hostname node selector.
    4Name of the interface.
    5Optional: Human-readable description of the interface.
    6The type of interface. This example creates a VLAN.
    7The requested state for the interface after creation.
    8The node NIC to which the VLAN is attached.
    9The VLAN tag.

    Example: Bond interface node network configuration policy

    Create a bond interface on nodes in the cluster by applying a NodeNetworkConfigurationPolicy manifest to the cluster.

    • mode=1 active-backup

    • mode=2 balance-xor

    • mode=4 802.3ad

    • mode=5 balance-tlb

    • mode=6 balance-alb

    The following YAML file is an example of a manifest for a bond interface. It includes samples values that you must replace with your own information.

    1. apiVersion: nmstate.io/v1
    2. kind: NodeNetworkConfigurationPolicy
    3. metadata:
    4. name: bond0-eth1-eth2-policy (1)
    5. spec:
    6. nodeSelector: (2)
    7. kubernetes.io/hostname: <node01> (3)
    8. desiredState:
    9. interfaces:
    10. - name: bond0 (4)
    11. description: Bond with ports eth1 and eth2 (5)
    12. type: bond (6)
    13. state: up (7)
    14. ipv4:
    15. dhcp: true (8)
    16. enabled: true (9)
    17. link-aggregation:
    18. mode: active-backup (10)
    19. options:
    20. miimon: '140' (11)
    21. port: (12)
    22. - eth1
    23. - eth2
    24. mtu: 1450 (13)
    1Name of the policy.
    2Optional: If you do not include the nodeSelector parameter, the policy applies to all nodes in the cluster.
    3This example uses a hostname node selector.
    4Name of the interface.
    5Optional: Human-readable description of the interface.
    6The type of interface. This example creates a bond.
    7The requested state for the interface after creation.
    8Optional: If you do not use dhcp, you can either set a static IP or leave the interface without an IP address.
    9Enables ipv4 in this example.
    10The driver mode for the bond. This example uses an active backup mode.
    11Optional: This example uses miimon to inspect the bond link every 140ms.
    12The subordinate node NICs in the bond.
    13Optional: The maximum transmission unit (MTU) for the bond. If not specified, this value is set to 1500 by default.

    Configure an Ethernet interface on nodes in the cluster by applying a NodeNetworkConfigurationPolicy manifest to the cluster.

    The following YAML file is an example of a manifest for an Ethernet interface. It includes sample values that you must replace with your own information.

    1. apiVersion: nmstate.io/v1
    2. kind: NodeNetworkConfigurationPolicy
    3. metadata:
    4. name: eth1-policy (1)
    5. spec:
    6. nodeSelector: (2)
    7. kubernetes.io/hostname: <node01> (3)
    8. desiredState:
    9. interfaces:
    10. - name: eth1 (4)
    11. description: Configuring eth1 on node01 (5)
    12. type: ethernet (6)
    13. state: up (7)
    14. ipv4:
    15. dhcp: true (8)
    16. enabled: true (9)

    Example: Multiple interfaces in the same node network configuration policy

    You can create multiple interfaces in the same node network configuration policy. These interfaces can reference each other, allowing you to build and deploy a network configuration by using a single policy manifest.

    The following example YAML file creates a bond that is named bond10 across two NICs and VLAN that is named bond10.103 that connects to the bond.

    1Name of the policy.
    2Optional: If you do not include the nodeSelector parameter, the policy applies to all nodes in the cluster.
    3This example uses hostname node selector.
    4Name of the interface.
    5Optional: Human-readable description of the interface.
    6The type of interface.
    7The requested state for the interface after creation.
    8The driver mode for the bond.
    9Optional: This example uses miimon to inspect the bond link every 140ms.
    10The subordinate node NICs in the bond.
    11The node NIC to which the VLAN is attached.
    12The VLAN tag.
    13Optional: If you do not use dhcp, you can either set a static IP or leave the interface without an IP address.
    14Enables ipv4 in this example.

    Example: Linux bridge interface node network configuration policy to inherit static IP address from the NIC attached to the bridge

    Create a Linux bridge interface on nodes in the cluster and transfer the static IP configuration of the NIC to the bridge by applying a single NodeNetworkConfigurationPolicy manifest to the cluster.

    The following YAML file is an example of a manifest for a Linux bridge interface. It includes sample values that you must replace with your own information.

    1. apiVersion: nmstate.io/v1
    2. kind: NodeNetworkConfigurationPolicy
    3. metadata:
    4. name: br1-eth1-copy-ipv4-policy (1)
    5. spec:
    6. nodeSelector: (2)
    7. node-role.kubernetes.io/worker: ""
    8. capture:
    9. eth1-nic: interfaces.name=="eth1" (3)
    10. eth1-routes: routes.running.next-hop-interface=="eth1"
    11. br1-routes: capture.eth1-routes | routes.running.next-hop-interface := "br1"
    12. desiredState:
    13. interfaces:
    14. - name: br1
    15. description: Linux bridge with eth1 as a port
    16. type: linux-bridge (4)
    17. state: up
    18. ipv4: "{{ capture.eth1-nic.interfaces.0.ipv4 }}" (5)
    19. stp:
    20. enabled: false
    21. port:
    22. - name: eth1 (6)
    23. routes:
    24. config: "{{ capture.br1-routes.routes.running }}"
    1The name of the policy.
    2Optional: If you do not include the nodeSelector parameter, the policy applies to all nodes in the cluster. This example uses the node-role.kubernetes.io/worker: “” node selector to select all worker nodes in the cluster.
    3The reference to the node NIC to which the bridge attaches.
    4The type of interface. This example creates a bridge.
    5The IP address of the bridge interface. This value matches the IP address of the NIC which is referenced by the spec.capture.eth1-nic entry.
    6The node NIC to which the bridge attaches.

    Additional resources

    Examples: IP management

    The following example configuration snippets demonstrate different methods of IP management.

    These examples use the ethernet interface type to simplify the example while showing the related context in the policy configuration. These IP management examples can be used with the other interface types.

    The following snippet statically configures an IP address on the Ethernet interface:

    1. # ...
    2. interfaces:
    3. - name: eth1
    4. description: static IP on eth1
    5. type: ethernet
    6. state: up
    7. ipv4:
    8. dhcp: false
    9. address:
    10. - ip: 192.168.122.250 (1)
    11. prefix-length: 24
    12. enabled: true
    13. # ...
    1Replace this value with the static IP address for the interface.

    No IP address

    The following snippet ensures that the interface has no IP address:

    1. # ...
    2. interfaces:
    3. - name: eth1
    4. description: No IP on eth1
    5. type: ethernet
    6. state: up
    7. ipv4:
    8. enabled: false
    9. # ...

    Dynamic host configuration

    The following snippet configures an Ethernet interface that uses a dynamic IP address, gateway address, and DNS:

    1. # ...
    2. interfaces:
    3. - name: eth1
    4. description: DHCP on eth1
    5. type: ethernet
    6. state: up
    7. ipv4:
    8. dhcp: true
    9. enabled: true
    10. # ...

    The following snippet configures an Ethernet interface that uses a dynamic IP address but does not use a dynamic gateway address or DNS:

    1. # ...
    2. interfaces:
    3. - name: eth1
    4. description: DHCP without gateway or DNS on eth1
    5. type: ethernet
    6. state: up
    7. ipv4:
    8. dhcp: true
    9. auto-gateway: false
    10. auto-dns: false
    11. enabled: true
    12. # ...

    Setting the DNS configuration is analagous to modifying the /etc/resolv.conf file. The following snippet sets the DNS configuration on the host.

    1You must configure an interface with auto-dns: false or you must use static IP configuration on an interface in order for Kubernetes NMState to store custom DNS settings.

    Static routing

    The following snippet configures a static route and a static IP on interface eth1.

    1. # ...
    2. interfaces:
    3. - name: eth1
    4. description: Static routing on eth1
    5. type: ethernet
    6. state: up
    7. ipv4:
    8. dhcp: false
    9. address:
    10. - ip: 192.0.2.251 (1)
    11. prefix-length: 24
    12. enabled: true
    13. routes:
    14. config:
    15. - destination: 198.51.100.0/24
    16. metric: 150
    17. next-hop-address: 192.0.2.1 (2)
    18. next-hop-interface: eth1
    1The static IP address for the Ethernet interface.
    2Next hop address for the node traffic. This must be in the same subnet as the IP address set for the Ethernet interface.