About the OVN-Kubernetes network plugin

    Part of Red Hat OpenShift Networking, the OVN-Kubernetes network plugin is the default network provider for OKD. OVN-Kubernetes is based on Open Virtual Network (OVN) and provides an overlay-based networking implementation. A cluster that uses the OVN-Kubernetes plugin also runs Open vSwitch (OVS) on each node. OVN configures OVS on each node to implement the declared network configuration.

    OVN-Kubernetes, which arose from the OVS project, uses many of the same constructs, such as open flow rules, to determine how packets travel through the network. For more information, see the Open Virtual Network website.

    OVN-Kubernetes is a series of daemons for OVS that translate virtual network configurations into rules. OpenFlow is a protocol for communicating with network switches and routers, providing a means for remotely controlling the flow of network traffic on a network device, allowing network administrators to configure, manage, and monitor the flow of network traffic.

    OVN-Kubernetes provides more of the advanced functionality not available with OpenFlow. OVN supports distributed virtual routing, distributed logical switches, access control, DHCP and DNS. OVN implements distributed virtual routing within logic flows which equate to open flows. So for example if you have a pod that sends out a DHCP request on the network, it sends out that broadcast looking for DHCP address there will be a logic flow rule that matches that packet, and it responds giving it a gateway, a DNS server an IP address and so on.

    OVN-Kubernetes runs a daemon on each node. There are daemon sets for the databases and for the OVN controller that run on every node. The OVN controller programs the Open vSwitch daemon on the nodes to support the network provider features; egress IPs, firewalls, routers, hybrid networking, IPSEC encryption, IPv6, network policy, network policy logs, hardware offloading and multicast.

    The OVN-Kubernetes network plugin is an open-source, fully-featured Kubernetes CNI plugin that uses Open Virtual Network (OVN) to manage network traffic flows. OVN is a community developed, vendor-agnostic network virtualization solution. The OVN-Kubernetes network plugin:

    • Uses OVN (Open Virtual Network) to manage network traffic flows. OVN is a community developed, vendor-agnostic network virtualization solution.

    • Implements Kubernetes network policy support, including ingress and egress rules.

    The OVN-Kubernetes network plugin provides the following advantages over OpenShift SDN.

    • Full support for IPv6 single-stack and IPv4/IPv6 dual-stack networking on supported platforms

    • Support for hybrid clusters with both Linux and Microsoft Windows workloads

    • Optional IPsec encryption of intra-cluster communications

    • Offload of network data processing from host CPU to compatible network cards and data processing units (DPUs)

    Red Hat OpenShift Networking offers two options for the network plugin, OpenShift SDN and OVN-Kubernetes, for the network plugin. The following table summarizes the current feature support for both network plugins:

    Table 1. Default CNI network plugin feature comparison
    FeatureOVN-KubernetesOpenShift SDN

    Egress IPs

    Supported

    Supported

    Egress firewall [1]

    Supported

    Egress router

    Supported [2]

    Supported

    Hybrid networking

    Supported

    Not supported

    IPsec encryption for intra-cluster communication

    Supported

    Not supported

    IPv6

    Supported [3]

    Not supported

    Kubernetes network policy

    Supported

    Supported

    Kubernetes network policy logs

    Supported

    Not supported

    Hardware offloading

    Not supported

    Multicast

    Supported

    Supported

    1. Egress firewall is also known as egress network policy in OpenShift SDN. This is not the same as network policy egress.

    2. Egress router for OVN-Kubernetes supports only redirect mode.

    3. IPv6 is supported only on bare metal, IBM Power, and IBM zSystems clusters.

    The OVN-Kubernetes network plugin has the following limitations:

    • For clusters configured for dual-stack networking, both the IPv4 and IPv6 routing tables must contain the default gateway. If this requirement is not met, pods on the host in the ovnkube-node daemon set enter the CrashLoopBackOff state. If you display a pod with a command such as oc get pod -n openshift-ovn-kubernetes -l app=ovnkube-node -o yaml, the field contains more than one message about the default gateway, as shown in the following output:

      1. I0512 19:07:17.589083 108432 helper_linux.go:74] Found default gateway interface br-ex 192.168.123.1
      2. F0512 19:07:17.589141 108432 ovnkube.go:133] failed to get default gateway interface

      The only resolution is to reconfigure the host networking so that both IP families contain the default gateway.

    Session affinity is a feature that applies to Kubernetes Service objects. You can use session affinity if you want to ensure that each time you connect to a <service_VIP>:<Port>, the traffic is always load balanced to the same back end. For more information, including how to set session affinity based on a client’s IP address, see .

    The OVN-Kubernetes network plugin for OKD calculates the stickiness timeout for a session from a client based on the last packet. For example, if you run a curl command 10 times, the sticky session timer starts from the tenth packet not the first. As a result, if the client is continuously contacting the service, then the session never times out. The timeout starts when the service has not received a packet for the amount of time set by the parameter.

    Additional resources